Roland,
This is a big question.
Yes and maybe/doubtful.
Anytime you have users entering information into a DB, there are
possibilities of them putting in unexpected content. Even a chat room,
someone could enter in profanities and upset other users.
Let's get a little more extreme here and
Hi Roland,
This is very unlikely; it is more likely that they would try to add sql
statements in the input field.
First of the data type constraints off the database field would probably
either prevent the saving of the offensive code and will most likely
truncate it.
Even if there is
Must reading:
http://www.owasp.org/documentation/topten.html
Welcome to the OWASP Top Ten Project
The OWASP Top Ten provides a minimum standard for web application
security. The OWASP Top Ten represents a broad consensus about what the
most critical web application security flaws are. Project
I want the SHORT answer, something like:
A.) If you use witango, a browser-sumitted piece of coding can't affect the
database, witango, or a visitor who searches and gets the record with the
code.
B.) Holy s**t!: You're an idiot of you doing have a layer in front of a
submit that searches and
I flunked proofreading
This option:
On 9/22/04 8:52 AM, Roland Dumas [EMAIL PROTECTED] wrote:
B.) Holy s**t!: You're an idiot of you doing have a layer in front of a
submit that searches and kills anything that looks like this.
Should read:
B.) Holy s**t!: You're an idiot if you don't
Hello,
this issue is known as SQL injection problem, search on google for more
information.
You should use stored proc (if available) or parametized queries, and also
rely on argument checking (B) to avoid completely this security issue.
Hope this helps.
Gauthier
- Original Message -
One of the lesser talked about features of Witango/Tango server architecture
is the advantage of "actions", especially the database actions. According
to what I have gleaned over the years (since I don't work for Pervasive or
Witango, and I don't have access to the Server source code), the
Sorry, but you forgot the
it should read... :-)
Should read:
B.) Holy s**t!: You're an idiot if you don't have a layer in front of a
new record or update that searches and kills anything that looks like
this.
I flunked proofreading
This option:
On 9/22/04 8:52 AM, Roland Dumas [EMAIL
I note there is a metatag @DEFINE to creates an empty variable of the
specified type in the specified
scope.
How does one identify undefined variables? The debugger, unfortunately
will not catch this. Will the 5.5 syntax checker catch it (doubtful,
since it can't know the full execution
I am testing Witango 5.5.003 with Oterro 3.0
I am using a simple Search Action and I have a couple questions about the
following debug:
1) Why does Witango change the SQL and use '?' for the variable values and
then show them in BoundVals?
2) Any ideas about the syntax error?
[Query] [382]
I want to initialize domain variables at server startup, but my
startup.taf fails with the following:
22/09/2004 14:49:3866.219.95.114
[EMAIL PROTECTED]1102691248 1 0
[Error] -1070 The server is starting up and can not process regular
requests.
Hi Steve,
You have a copy of my Tango Debugging Tools don't you? If so, connect to
your datasource, copy your select statement from the debug code and
paste it in the SQL Command window. Then tweak it manually until you get
the syntax just right. Maybe the column UDisabled is not a text
datatype,
Title: Re: Witango-Talk: Security question
Im slow here. Does this mean that if there is a SQL query in a DirectDBMS Action that its protected by this bind dust? Or just New Record and Update Actions?
On 9/22/04 11:34 AM, Sri Amudhanar [EMAIL PROTECTED] wrote:
One of the lesser talked about
Most odd. I have a startup.taf that initializes domain variable and it's
pretty reliable. Never told to come back later.
On 9/22/04 3:03 PM, Bill Conlon [EMAIL PROTECTED] wrote:
I want to initialize domain variables at server startup, but my
startup.taf fails with the following:
22/09/2004
I'm confused about how the path is set for application execution. I
assume an 'application' is a collection of witango executables
contained within a directory marked by @APPPATH. But I seem to have
trouble getting anything other than the first stanza in
applications.ini to be recognized.
Since you provide your own SQL in a DirectDBMS action, you are responsible
for its quality, so like Gauthier suggests, use stored procedures/parametized
queries.
Sri Amudhanar
Maxys Corporation
Authorized Witango Reseller
Authorized Pervasive, Cisco, HP, Thawte Reseller.
Roland Dumas wrote:
Ooops!
Just noticed a bug in my test value syntax. Make that %'; (percent + single-quote
+ semicolon) since % is the SQL wild card for column values in most databases
(except Access). Similarly choose the line terminator applicable for your
Database SQL syntax (# in some cases), and/or
Hi,
On Friday 24th Sept (in Australia), between 10am and 5pm AEST (Thursday 5pm
and 12am PST) we will be doing some network maintenance and upgrades.
During this upgrade window there will be times where our web, witango-talk
and email will be unavailable. This is part of the upgrade. These
18 matches
Mail list logo