Elevate Software

Login Login

ProductsBulletSalesBulletSupportBulletDownloadsBulletAbout



Home » Technical Support » DBISAM Technical Support » Support Forums » DBISAM SQL » View Thread

Icon View Thread

The following is the text of the current message along with any replies.
Messages 11 to 14 of 14 total
Thread Safe strings
Mon, Feb 6 2006 6:16 PMPermanent Link

"Ralf Mimoun"
Tim Young [Elevate Software] wrote:
....
> Actually, you bring up a good point - it is very easy for the
> application developer to allow SQL statements to be injected into
> their existing SQL if they're not careful.  Unfortunately, there's no
> way for DBISAM to prevent this either.

Just an idea... what about a JustOneLine property? Of course, you need a
better name for that SmileMeans: if you have more than one SQL command, you
get an exception. Default is false, and it don't has to be Published. That
would make it a little bit easier to get a grip on some of the problematic
queries. You have to write carefully as always, but that thing will give you
at least a little defense.

Ralf

Mon, Feb 6 2006 6:41 PMPermanent Link

Eryk Bottomley
matthew,

> That's why I was wondering if there was a function that would "neuter" any
> naughty content of a string. I'll see if I can dig up the ColdFusion
> version tomorrow.

You can use the DBISAM server and slap access permissions restrictions
on the account executing the SQL to make it "read only". Other than
bring the server to its knees with huge cartesian products there isn't a
lot of harm you can do with a SELECT (leaking sensitive data aside of
course).

Eryk
Tue, Feb 7 2006 5:04 AMPermanent Link

Okay, the ColdFusion function of interest is <cfqueryparam> which does
validation of the data, and also sort of parameterises it. You can specify
that the value should be an int, string or whatever. It ensures that if
someone enters "7 DELETE FROM Employee" that it can't get through as it is
not valid for an integer. If it is supposed to be a string, then you can
set a max length, and it puts it in quotes to ensure it is interpreted as
such, and not as part of the query.

It strikes me though that this is only half of the issue. If I allow the
value "7 DELETE FROM Employee" to get put into my database, then next time
it is used in a query that query has to be sure of it being right too.
Parameters seem to be the only safe way to ever do this from what I can
see. Or religious use of AnsiQuotedStr. Hmm.

/Matthew Jones/
Tue, Feb 7 2006 5:40 AMPermanent Link

The ColdFusion example wouldn't be detected by that unfortunately.

/Matthew Jones/
« Previous PagePage 2 of 2
Jump to Page:  1 2


This web page was last updated on
Tuesday, April 30, 2024 at 03:55 PM

Privacy PolicyBulletSite Map

© 2024 Elevate Software, Inc. All Rights Reserved
Questions or comments ? E-mail E-mail us at info@elevatesoft.com

Image