Remedy #1: Never ever connect as sysadmin.
The principle of least privilege.
Remedy #2: Building SQL statements securely.
Use placeholders, which are often referred to as parameterized commands.
Qt4 parameterized commands:
QSqlQuery query;
query.prepare("INSERT INTO person (id, forename, surname) "
"VALUES (?, ?, ?)");
query.bindValue(0, 1001);
query.bindValue(1, "Bart");
query.bindValue(2, "Simpson");
query.exec();
沒有留言:
張貼留言