I know this is a loaded question but I want to understand the theory here.
I've tried googling and checking SO for this and i DO understand the SQL injection threat.
My question is: Do you ALWAYS needs parametised queries?
eg.
If I have a user input box to search for "pxName" I have a string:
"SELECT * FROM tblPeople WHERE fName = '" & pxName & "'"
I completely see the risk here, we are open to attack because the user has the power to insert what they want into the input box.
If however I have a variable that I have created.
eg. Created new record via an ADODB recordset. Obtained new PK
run query:
"SELECT * FROM tblPeople WHERE personID = " & NewPrimaryKey
Is this a threat?? As in, should this be parametised as parametised queries are "what you do" or am I actually at risk of SQL injection even though there is no place for a user to even input their dodgy strings to perform an attack?
The main fact is I have created an access app just for me to use and now a bunch of friends with similar businesses are keen to try it. It isn't using Parametisation at all at the moment however of maybe 50 query strings in the VBA, there are only 2 with actual user input boxes, the rest are reports and self generated variable queries like the one above.
Thanks!