>
>How do people login in your applications?
>
>Find anything by user supplied search via Name.
The user would not have the Users table available as an option to search,
first of all. My interface only permits searches on certain tables. The
user can't cause the system to execute 'SELECT password from users where
login = "admin"' and get the results diplayed to him or her.
My login process accepts a user name and password and queries the users
table to see if there's a match. If there is, the user is logged in. If
not, the login is rejected.
The query template something like:
'SELECT loginfield, passwordfield from users where login == "' + login + '"
AND password == "' + password + '"'
IF _TALLY > 0
* User is in and is told as much but the password is not returned to
the user
ELSE
* User is rejected
ENDIF
The user can only change the values of the login and password variables;
nothing else in the statement is user-modifiable.
This search expects only character expressions, and the internal code will
surround them with delimiters. It is not possible in any of my applications
to enter a SQL SELECT command or "special sequence" and have it treated as
anything other than data to be found (or not found) in some field.
Nothing in any of may applications could ever result in a statement like:
SELECT somenastything FROM someothernastything
The user never gets to enter any raw content that goes into a SQL command
expression--only properly delimited values expected to be found in, or
entered into, fields in tables whose names my software strictly controls.
The thing I don't get about this is that this is obvious to me, a
journeyman database developer, as being the only sane way to allow ordinary
users access to data. I do not understand why anybody would do it any other
way, and I don't understand how it is possible for very highly paid,
supposedly top-of-the-mark programmers to have ever created anything so
stupid as to permit this kind of thing to happen.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
