It is all about input validation. Access to a SQL server is reasonable. Access to the shell is something that probably should be avoided. In either case you need to be sure the user/hacker cannot send requests that you do not allow.
Thanks, Brian On Jul 16, 2018, 9:51 AM -0500, Bob Sneidar via use-livecode <use-livecode@lists.runrev.com>, wrote: > Judging by this, simply putting an SQL server behind a web server does not > really protect the SQL server like some propose. Maybe I'm oversimplifying > the issue, but it seems they are saying that using this method, shell > commands can be executed, and that means access to the sql database can be > had. > > Bob S > > > > On Jul 15, 2018, at 14:31 , J. Landman Gay via use-livecode > > <use-livecode@lists.runrev.com> wrote: > > > > I suspect the paranoid among us already know this, but I didn't realize it > > was quite so easy: > > > > https://null-byte.wonderhowto.com/how-to/use-command-injection-pop-reverse-shell-web-server-0185760/ > > > > -- > > Jacqueline Landman Gay | jac...@hyperactivesw.com > > HyperActive Software | http://www.hyperactivesw.com > > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
