> SQL injection can do all sorts of damage: it can simply delete > all of your data; it can reveal admin passwords, employee information, > etc. In essence, it enables bad guys to execute any data command they want. > > The rule to follow is always to sanitize inputs from users. Every > DB out there has a function for escaping special characters; always make > sure that every piece of text from outside the program is run through > these methods before passed to the database for execution.
And I'm saying that's exactly what I've done, not out of great security consciousness, but simply because it seemed to me the only way the typical user was going to be able to handle things was if I only let them enter strings for searchable data and forced them to pick names of tables and fields from lists. I'm not saying that if you somehow managed to execute an SQL statement that contained nasty code it wouldn't do damage. I am just sitting here scratching my head wondering how anybody but a complete idiot would ever design a user interface that allows somebody to enter that kind of thing and have it be executable, as opposed to being treated as data. Ken www.stic-cil.org _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
