Hi guys - Just some quick feedback on this. There was a security issue related to SQL Events / SQL Injection.. The data should never be saved into our tables like ###'### or ###$### but... IF you are using a SQL Event and storing the data within your own tables, we are using a few routines to replace all ' marks along with a few others such as works like DELETE, INSERT, COUNT, and -- which represents comments in SQL. We identified a few methods from a client who brought this to our attention as a security risk. Once verified we added this code in place, so you could easily replace this BACK within your SQL Event. We might later make this optional as a configuration option to "Protect against SQL Injection". Technically if you are using stored procedures and you are not using direct SQL/Insert statements then there wouldn't be any harm. In this case though we had to implement something right away. So... Within your SQL statement I can give you the correct SQL you would need to replace ###'### or ###--### with just -- and therefore this would fix you up. Thanks, Chad
|