Hi Tim, Thanks for the reminder about Bobby Tables.
This reminds me of a still existing issue, when accessing 4D via ODBC. I found that I can call a DROP TABLE from various ways with a SQL editor. I seem to be missing a way to keep them from successfully calling this command, except to not let them have ODBC access in the first place. We have our system set to not allow INSERTS and UPDATES, but DROP TABLE still works if they have ODBC access. Any hot tips to prevent this? I'm a SQL newbie, so maybe I'm missing something obvious. Thanks Randy Engle XC2 Software LLC -----Original Message----- From: 4D_Tech [mailto:4d_tech-boun...@lists.4d.com] On Behalf Of Timothy Penner via 4D_Tech Sent: Monday, April 17, 2017 9:01 AM To: 4D iNug Technical <4d_tech@lists.4d.com> Cc: Timothy Penner <tpen...@4d.com> Subject: RE: 4D SQL Implementation > Using strings built into queries is prone to sql injection if the query has > any input from the users and is considered a deadly sin in most cases. Here is a good example describing why you should never concatenate data into a SQL statement; you should always use parameterized queries instead. http://bobby-tables.com/ http://bobby-tables.com/about -Tim ********************************************************************** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************
