- Log in to post comments
User bio
404 bio not found
Member since Dec 9, 2015
Posts:
Replies:
exactly
- Log in to post comments
I get it now. The values for the p3 and p4 properties are invalid JSON. I think of the () around values as enabling us to embed ObjectScript inside JSON.
set myObject = { "p1":"abcd", "p2":true, "p3":(value), "p4":(sum+2) }
<- ObjScript -><-------------------- JSON----><ISOS-><-JSON><-ISOS><JSON>- Log in to post comments
Open Exchange applications:
Certifications & Credly badges:
Joel has no Certifications & Credly badges yet.
Followers:
Following:
Joel has not followed anybody yet.
Ash is correct! I prefer to explain it slightly differently. I don't consider SQL injection as a "problem" with Dynamic SQL because you should simply never concatenate user input into a query (using IRIS or any other platform). Always use placeholders which eliminates the risk. And the other 2 SQL options (Embedded SQL and Class Queries) accept input via host variables like :minAge. All automatically sanitize the input.
One further clarification: years ago, it's true that Dynamic SQL was the only one of the 3 options that was compiled at runtime; the other two were compiled at class compile time. But since Runtime Plan Choice (v2021.2), queries with input parameters in the WHERE clause (as discussed in this post) are compiled at runtime, whether you use Dynamic, Embedded, or Class Queries.