Re: [NF] Very strong set of issues in Are You a Bad Programmer.

Sun, 12 Feb 2012 18:41:14 -0800 

>
> > There is no magical "extra security" conferred by using ?somevariable as
> > opposed to just mySQLCommand = CommandText + somevariable. ?somevariable is
> > just a reference to the content of somevariable. If the type of
> > somevariable is a string, and you don't validate somevariable before it
> > becomes part of a SQL statement, you'll be in trouble either way.
> >

Not true. If the variable is "delete from table" (it's too late here to
compose a real dangerous variable, but you got the idea), passing it as
literal string will delete the records, while passing it as ?varName will
not. Try it.

Depends on how it's done. Consider the following code:

CLOSE TABLES ALL
CLOSE DATABASES ALL

ERASE foo.*
ERASE bar.*
ERASE foobar.*

CLEAR

CREATE TABLE Foo (Somefield C(10), Someint I)

INSERT INTO Foo (Somefield,Someint) ;
      VALUES ("Y",1)

USE IN Foo

CREATE TABLE Bar(Anyfield C(10), Anyint I)

USE IN Bar

CREATE DATABASE Foobar

OPEN DATABASE Foobar
SET DATABASE TO Foobar

ADD TABLE foo
ADD TABLE bar

testvar = "'Y'" + CHR(10) + CHR(13) + "DROP TABLE BAR"

mysql = "SELECT * FROM Foo WHERE Somefield = " + testvar

? "About to execute concatenated string: " + mysql

* EXECSCRIPT(mysql)  && Drops bar

&mysql  && No problem

IF FILE("Bar.dbf")
      USE bar

      BROWSE
ELSE
      ? "Bar is gone."
ENDIF

IF NOT FILE("Bar.dbf")
      CREATE TABLE Bar(Anyfield C(10), Anyint I)

      USE IN Bar

      ADD TABLE bar  && Huh? If bar was dropped, we get an error stating 
that the table is part of the database
ENDIF

mysql = "SELECT * FROM Foo WHERE Somefield = ?testvar"

? "About to execute parameterized query: " + mysql

*SELECT * FROM Foo WHERE Somefield = ?testvar  && No problem

EXECSCRIPT(mysql)  && No problem

IF NOT USED("bar")
      USE bar IN 0
ELSE
      SELECT Bar
ENDIF

BROWSE

MODIFY DATABASE 


_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: 
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the 
author, and do not constitute legal or medical advice. This statement is added 
to the messages for those lawyers who are too stupid to see the obvious.

Reply via email to