Right, but to do that they'd have to know a username/password. SQL injection attacks alter the SQL statements sent by a valid user so the attacker doesn't need to know a username/password.
Even more scary is how hackers can get into a system using a "I forgot my password" form with SQL injection, lots of examples on the web. On Fri, Apr 10, 2015, 6:52 PM J. Landman Gay <[email protected]> wrote: > I freeze up with this stuff, just like I do with math. But...but...won't > an intruder be likely to send their own queries, regardless of how the > app is doing it? If they include raw values, the database will still > respond, right? So why would it matter how the app is doing it? > > On 4/10/2015 8:36 PM, Peter Haworth wrote: > > On Fri, Apr 10, 2015 at 6:14 PM, J. Landman Gay < > [email protected]> > > wrote: > > > >> I'm not quite sure what Pete meant by using the variable name option in > >> the rev database functions though. (I am so not a database person.) > > > > > > Well you opened the door by asking :-) > > > > As an example, revDataFromQuery's syntax is > > > > revDataFromQuery([*columnDelim*],[*rowDelim*],*databaseID*,*SQLQuery*[, > > *varsList*]) > > > > "varslist" is the thing I mentioned. It allows you have a SELECT > statement > > like this: > > > > SELECT col1,col2 FROM myTable WHERE col3=:1 AND col4=:2 > > > > The values for :1 and :2 are supplied in the varslist which can either > be a > > comma separated list of simple variable names or a single array variable > > with, in this case, keys 1 and 2, with the variable names enclosed in > > quotes. > > > > So the revDataFromQuery call would be: > > > > put revDataFromQuery(,,gDBID,tSelect,"tValue1",tValue2") into tData > > > > OR > > > > put revDataFromQuery(,,gDBID,tSelect,"tArray") into tData > > > > In addition to preventing SQL injection attacks, this also avoids the > need > > to escape troublesome characters like quotes in the data. > > > > Pete > > lcSQL Software <http://www.lcsql.com> > > Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and > > SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html> > > _______________________________________________ > > use-livecode mailing list > > [email protected] > > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > > http://lists.runrev.com/mailman/listinfo/use-livecode > > > > > -- > Jacqueline Landman Gay | [email protected] > HyperActive Software | http://www.hyperactivesw.com > > _______________________________________________ > use-livecode mailing list > [email protected] > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list [email protected] Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
