> From: Bruce Ordway
> I want to select all parts that have a " in the description
> field (F1). People have been using " instead of INCH.
> This causes problems for me during processing some reports
> and exports.
I don't didn't get the original post to this, only replies -
weird.
What's being described here is the concept called "SQL Injection"
where users intentionally or unintentionally put something in
data that causes queries to misbehave.
For example:
PRINT "Enter your customer ID to see your data"
INPUT CUSTID
EXECUTE "SELECT ORDERS WITH CUST '":CUSTID:"'"
LOOP ... DISPLAY RESULTS ...
What if the user enters:
ME' OR NOT 'ME
Please excuse my Pick-style syntax, but obviously embedding the
user response into the query without filtering will allow anyone
to see pretty much anything. Knowledge of the specific query
isn't always required, but if the user knows they're working with
a MV DBMS it's not tough to alter the query as easily as any SQL
query.
This isn't the sort of thing MV people grew up on with telnet
clients, but it's critical when deploying apps to a public
website - even with secured login. The rest of the development
world is VERY aware of this concept and we aren't any more immune
to it - we've just survived with the "good fortune" of using
obscure software and being a more difficult target than your
average LAMP-based website.
This is a topic that I decided to NOT write about as the second
entry to my blog on website hacking. But considering this is
still something I see on a daily basis I decided maybe it is
something that needs to be discussed somewhere.
remove.thisNebula-RnD.com/blog/tech/2007/01/website-hacks1.html/2
HTH
Tony Gravagno
Nebula Research and Development
TG@ remove.pleaseNebula-RnD.com
-------
u2-users mailing list
[email protected]
To unsubscribe please visit http://listserver.u2ug.org/
