Login ProductsSalesSupportDownloadsAbout |
Home » Technical Support » DBISAM Technical Support » Support Forums » DBISAM SQL » View Thread |
Messages 11 to 14 of 14 total |
Safe strings |
Mon, Feb 6 2006 6:16 PM | Permanent Link |
"Ralf Mimoun" | Tim Young [Elevate Software] wrote:
.... > Actually, you bring up a good point - it is very easy for the > application developer to allow SQL statements to be injected into > their existing SQL if they're not careful. Unfortunately, there's no > way for DBISAM to prevent this either. Just an idea... what about a JustOneLine property? Of course, you need a better name for that Means: if you have more than one SQL command, you get an exception. Default is false, and it don't has to be Published. That would make it a little bit easier to get a grip on some of the problematic queries. You have to write carefully as always, but that thing will give you at least a little defense. Ralf |
Mon, Feb 6 2006 6:41 PM | Permanent Link |
Eryk Bottomley | matthew,
> That's why I was wondering if there was a function that would "neuter" any > naughty content of a string. I'll see if I can dig up the ColdFusion > version tomorrow. You can use the DBISAM server and slap access permissions restrictions on the account executing the SQL to make it "read only". Other than bring the server to its knees with huge cartesian products there isn't a lot of harm you can do with a SELECT (leaking sensitive data aside of course). Eryk |
Tue, Feb 7 2006 5:04 AM | Permanent Link |
Okay, the ColdFusion function of interest is <cfqueryparam> which does
validation of the data, and also sort of parameterises it. You can specify that the value should be an int, string or whatever. It ensures that if someone enters "7 DELETE FROM Employee" that it can't get through as it is not valid for an integer. If it is supposed to be a string, then you can set a max length, and it puts it in quotes to ensure it is interpreted as such, and not as part of the query. It strikes me though that this is only half of the issue. If I allow the value "7 DELETE FROM Employee" to get put into my database, then next time it is used in a query that query has to be sure of it being right too. Parameters seem to be the only safe way to ever do this from what I can see. Or religious use of AnsiQuotedStr. Hmm. /Matthew Jones/ | |
Tue, Feb 7 2006 5:40 AM | Permanent Link |
The ColdFusion example wouldn't be detected by that unfortunately.
/Matthew Jones/ |
« Previous Page | Page 2 of 2 | |
Jump to Page: 1 2 |
This web page was last updated on Tuesday, April 30, 2024 at 03:55 PM | Privacy PolicySite Map © 2024 Elevate Software, Inc. All Rights Reserved Questions or comments ? E-mail us at info@elevatesoft.com |