On Wed, Feb 15, 2012 at 5:19 AM, Ken Dibble <[email protected]> wrote:
You are correct. You can enter stuff into a textbox in VFP that cannot be > inserted into a variable in code. > > As it turns out, my app's login code actually defends against login input > that contains troublesome characters, by setting up the query as follows: > > lcSQL = "SELECT userid FROM users WHERE login == '&mylogin'" ; > + " AND password == '&mypassword' Into cursor crsUser" > > In that scenario, [admin' &&] throws Error 36. [admin'&&] will also fail. > So will a variety of other things. > > That won't help either. The app errors because the resulting string is missing a double quote. I have uploaded a new demo, downloadable from http://www.class-software.eu/sqlparameters2.zip, which demonstrates the login bypass using your own code. Username: admin'" && pass: any random password. > Nor does this demonstration change the fact that validating user input > obviates the need for use of ? parameters, or the fact that ? parameters > simply cannot be used in a distributed application. > > Ken Dibble > www.stic-cil.org > > Ken, trust me, I have TONS of experience in this kind of shit. You should take in account that I have 20 years of experience and I've been VFP MVP for 5 years in a row until they retired the award. There is NO WAY to protect yourself if you're using string concatenation, in ANY form. On the other hand: do you realistically believe that those huge enterprise distributed apps (such as SAP, or banking apps) are using string concatenation? I've had the chance to assist a SAP implementation and I can tell you they don't. Parameters all the way (which, in turn, make easy to pass parameters which are not easily serializable, such as byte arrays for webservices). ----------------------- I took the liberty to demonstrate another concept: Code Injection. Compile my sqlparameters2 project as an executable. Download http://www.class-software.eu/myfunc.fxp and place it in the same folder as the exe. Don't worry, it's harmless but I hope you'll see how risky string concatenation is. Now enter this as username: Username: admin'" And MyFunc() && Password: any random password. --- StripMime Report -- processed MIME parts --- multipart/alternative text/plain (text body -- kept) text/html --- _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/CAH=CQDKXcgYi4XbA=Pmgb1sOfvKQ+0Q=m5g7nxxkt3kzcz-...@mail.gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
