> Granted VFP program
>design is 95% prone to sql injection. You combine text to form the
>command and you execute that generated statement. Poof SQL Injection
>is going to be difficult to stop.
I'm obviously completely ignorant about this because I do not understand
this "SQL Injection" issue.
In order to execute code that modifies a table you have to have a valid
EXECUTABLE statement, right?
So something like "DROP TABLE" would be a bad thing. What I don't
understand is how any sane person would design a query interface that
results in a statement like "DROP TABLE" being *executed*.
In my systems, somebody could put "DROP TABLE sometable" into a search
blank, sure. And the result in my code would be something like:
Select foo from bar where bar == "DROP TABLE sometable". That's not
executable, and it won't hurt anything.
So much for searches. What about data entry?
Well again:
Insert into foo (myfield) values ("DROP TABLE")
won't do any harm either. Nor would
Update foo set myfield = "DROP TABLE" where myotherfield = "DELETE ALL"
or whatever else you can imagine.
In fact, as long as you don't let users write out an entire SQL SELECT
expression from scratch, I can't think of any possible combination of data
entry controls and code that would result in an EXECUTABLE expression that
damages data.
Why would anybody design an interface that lets ordinary users have control
of the command terms in a SQL expression, as opposed to just values that go
into, or come out of, tables?
Can somebody explain this to me?
Thanks.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
