Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)

[ct7 () UNICORNSREST ORG (W. Craig Trader)]

"Smith, Eric V." wrote:
> Not true, at least for the case of MS Sql Server 7.  The following
> statement:
>
> insert into customer (name, primary_contact)
> values ('a', '4')
>
> succeeds where primary_contact is of type int (I also tried numeric just to
> be sure).  I write code like this all of the time when I know the column
> names but not their types.
>
> Did you actually try this yourself before posting?  What results did you
> observe?

I don't have a copy of SQL Server lying around, but I can speak to
several other RDBMSes (Oracle 7 & 8, MS Access, MySQL, Informix, and other
lesser products) as well as the SQL 89 and SQL 92 standards.  In standard
SQL, you must not use quotes around non-string constants.  Numeric
constrants must be unquoted, Date/Time constants must use the Date/Time
delimiter (# for MS Access, other characters for other products).

Have you ever used anything besides Microsoft RDBMSes?  Microsoft is
not well known for their ability to adhere to industry standards.

- Craig -