We had a system interface between a public web server and a SQL database that ran pre-formed SQL commands.
The table was specified, the variables were typed, the output was processed by XSLT, etc. The public server called a function that included the variables and got back whatever the XSLT produced. Each variable was checked to make sure it conformed to the type of data that variable could contain. Integer, Float, String, Boolean, etc. Strings were not allowed to have quotes in them, and some strings were optionally length limited. We had a SQL table with these canned queries and an internal interface for building them. Each command also had a sample output so that if someone was using the command as part of a test, it would reply with the desired test data and not actually affect the SQL database. SQL injection is just amazing to watch. Once saw a demonstration of a bank in India. In the login, they added SQL to the password field and got back a list of all the tables in the database. Very scary. Kee > On Jul 15, 2018, at 2:31 PM, J. Landman Gay via use-livecode > <use-livecode@lists.runrev.com> wrote: > > I suspect the paranoid among us already know this, but I didn't realize it > was quite so easy: > > https://null-byte.wonderhowto.com/how-to/use-command-injection-pop-reverse-shell-web-server-0185760/ > > -- > Jacqueline Landman Gay | jac...@hyperactivesw.com > HyperActive Software | http://www.hyperactivesw.com > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your subscription > preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
