On Tue, Feb 14, 2012 at 3:56 AM, Ken Dibble <[email protected]> wrote:
> Right, which in turn proves that if you use macro substitution to execute > concatenated SQL statements in VFP, you cannot construct a statement that > can damage your data. Which in turn supports my contention that one size > does not fit all when it comes to effective secure code--a contention that > was already supported when I demonstrated that use of ? parameters for SQL > only makes sense in monolithic apps. > If the app does not work with VFP data, multiple lines can be constructed inserting the line terminator, like ";" for mysql. > >"Select * From Users where username = '" + varUsername + "' And password > = > '>" + varPassword + "'" > > Not sure where you're going with that. > Have you even TRIED to run this code? > > You can't concatenate anything containing "&&" to a string in VFP. That > surprised me, frankly, but you can't. It won't work; you'll get "Command > contains unrecognized phrase/keyword": > > myvar = "Select * From Users where username = '" && ok > myvar = myvar + "admin' &&" && Error! > myvar = myvar + "admin'" && ok > myvar = myvar + " &&" && Error! > myvar = "" && ok > myvar = myvar + "&&" && Error! > > I am NOT doing that in my line of code, run it first. > Also, it's insane to let users construct their own SQL commands, or to > allow them to select a table like "users" or a field like "password" from a > list of things that can be returned to them. > > So the example is not going to occur in the wild unless the application was > written by an idiot. > > I am not doing that either in my line of code. > When users log into my app, they fill in blanks for username and password, > and the app executes: > > "SELECT userid FROM users WHERE login == '" + mylogin + "' AND password == > '" + mypassword "'" > EXACTLY my point. Enter [admin ' &&] (without square brackets) as username and a random password. ( or any admin user name, I bet your users know the username of their admin) > The user doesn't see the results of this; the app uses the userid value > internally to determine what things the user can access. If the user > inserts CHR(0) or something else into the login, it just won't match > anything in the users table and s/he won't get in. That's it; end of story. > No need to see anything - the app will login then as admins. > > I'm not arguing that SQL injection doesn't happen. I'm arguing that use of > ? parameters is not a viable solution in all situations, and is not > necessary in many situations. I am arguing, instead, that if you do not let > users insert SQL command terms into an expression, by controlling the > tables the user can query and the fields that can be returned, and by > validating what they do enter, at the GUI or business object level, then > you can be secure without ever using a single ?, which means you don't have > to bend your design out of shape in order to be in a position to use ? > parameters. > > Parameters should be passed as sql parameters in any situation. There is NO situation where concatenation works and sql parameters don't. The reverse was demonstrated already by you, in your first message (remember that commented EXECSCRIPT?) In my example above, using sql parameters will NOT log in the user at all. > There are no panaceas in life, or in programming. There are no "best > practices" that are not less than best in at least some situations. > Flexibility and creativity are to be valued. That is the general argument I > am making; use of ? parameters is just one of many millions of examples > where my argument holds true. > This is wrong on so many levels that I don't even try to argue. > > Ken Dibble > www.stic-cil.org > > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CAH=cqd+9p53jy99vukoxm+3pggntaed8ykkhsfchggcmlij...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
