on 11/8/2000 4:39 AM, "Kasper Nielsen" <[EMAIL PROTECTED]> wrote:
> while we are at it.
>
> Has anybody had to deal with users entering sql statements in fields not
> intended to?
>
> If you have something like this ,
> sql = "select * from secretdata where userid=" + user.getId() + " and
> month=" + UserInput +";"
>
> and needs to get some input from a form field (UserInput) and the user
> inputs '12 or userid>0'
>
> Then we get something like this
> sql=select * from secretdata where userid=xxx and month=12 or userid>0;
> not quite what we intended to.
> Or what about nasty join and like's they could easyly lay down a database
> (at least if your running Access ;-)?
>
> - Kasper
Yea, I just LOVE doing that to websites...
<http://www.drugfreeamerica.org/druginfo/drugInfo.asp?drugID=-10>
That should just be a "10" instead of a -10. :-) It shows bad engineering at
its best. :-) They must have been taking way to much E. LOL!
The short story is that you should NEVER trust user input and for SQL, there
isn't much you can do about it except for trying to first cast the
information into a specific object type (nice that Java supports that) and
if it fails (ie: throws an exception), then you can deal with it. If it
succeeds, then you should also test that object for whatever criteria you
are expecting as well (ie: a positive integer).
I know it is a pain, but that is the way it is. You can probably write some
helpful utilities if you are expecting the same type of data over and over,
but for the most part, unfortunately it really isn't portable to a framework
level.
So, here is my challenge, prove me wrong and submit a class for Turbine. :-)
thanks,
-jon
--
http://scarab.tigris.org/ | http://noodle.tigris.org/
http://java.apache.org/ | http://java.apache.org/turbine/
http://www.working-dogs.com/ | http://jakarta.apache.org/velocity/
http://www.collab.net/ | http://www.sourcexchange.com/
------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Search: <http://www.mail-archive.com/turbine%40list.working-dogs.com/>
Problems?: [EMAIL PROTECTED]
