Hi Andy, yuser = "admin" ypass = '""
SELECT * FROM users WHERE user = ?yuser AND password = ?ypass You shouldn't use a single equals :-) Paul On Wed, Feb 15, 2012 at 10:05 AM, AndyD <[email protected]> wrote: > Well I thought I'd resolved this to my own satisfation years ago, bit I > decided to re-visit it - > I couldn't find a way to do SQL injection in FoxPro: > CLEAR > CREATE CURSOR users (user C(5), password c(5)) > DISPLAY STRUCTURE > CLEAR > INSERT INTO users values('poo', 'bear') > INSERT INTO users values('meme', 'pass') > INSERT INTO users values('admin', '3j&Kv@') > yuser = 'meme' > ypass = 'pass' > xuser = 'admin &+[& ]' > xpass = 'abcd' > lvar = "Select * From Users where user = '" + xuser + "' And password = > '" + xpass + "'" > lvar2 = "Select * From Users where user = '" + yuser + "' And password = > '" + ypass + "'" > SELECT * FROM users WHERE user = ?yuser AND password = ?ypass > USE IN query > &lvar2 > USE IN query > &lvar > ? _TALLY && 0 > USE IN query > xuser = 'admin .. ]' > &lvar > ? _TALLY && 0 > USE IN query > xuser = [admin ' &&] > xuser = "admin &' +[&] " > &lvar > ? _TALLY && 0 > USE IN query > ?xuser > xuser = "admin' & +[&] " > ?xuser > &lvar > ? _TALLY && 0 > SELECT * FROM users WHERE user = ?xuser AND password = ?xpass > ? _TALLY && 0 > USE IN query > CLOSE ALL > CLEAR ALL > > So &mySQLstring and ?xvar both seem safe, although ?vars *feel* like > better code. I'm pretty sure they're safe with remote views on rdbms as > well but I don't have one set up to try at the moment. > > AndyD 8-)₹ > > On 19:59, Ken Dibble wrote: >>>> Right, which in turn proves that if you use macro substitution to execute >>>> concatenated SQL statements in VFP, you cannot construct a statement that >>>> can damage your data.<snip> >>>> >"Select * From Users where username = '" + varUsername + "' And password >>>> = >>>> '>" + varPassword + "'" >>>> >>>> Not sure where you're going with that. >>>> >>> Have you even TRIED to run this code? >> <snip> >> >> Select * From Users where username = '" + varUsername + "' And password >> = '" + varPassword + "'" >> >> Assuming correct login and password are supplied, it will return all of the >> fields in the user's account. That's what "SELECT *" does. > >> Why would I use >> such a query to log somebody in? > > if _tally = 1 && log 'em in ?? > >> >>>> When users log into my app, they fill in blanks for username and password, >>>> and the app executes: >>>> >>>> "SELECT userid FROM users WHERE login == '" + mylogin + "' AND password == >>>> '" + mypassword "'" >>>> >>> EXACTLY my point. Enter [admin '&&] (without square brackets) as username >>> and a random password. ( or any admin user name, I bet your users know the >>> username of their admin) >> <snip> > [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/cadwx0+kw8+otjcwqoawpzndn72h4pyjynszs_9bdzobzm1_...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
