On Jun 25, 2011, at 2:59 PM, Ken Dibble wrote:
> I'm not saying that if you somehow managed to execute an SQL statement that
> contained nasty code it wouldn't do damage. I am just sitting here
> scratching my head wondering how anybody but a complete idiot would ever
> design a user interface that allows somebody to enter that kind of thing
> and have it be executable, as opposed to being treated as data.
Users don't enter entire SQL statements; you're right: nobody's that
stupid. But they do let them enter values that are then merged with SQL
templates in your code and executed.
Here's the simplest example: you provide a textbox for the user to type
into, and then do string manipulation to create the query. Example: image a
'search by name' textbox that the user types into, and then clicks 'Search'.
The app then creates an SQL statement using what the user typed, and executes
that to find the matching names. Let's say the user types 'Leafe', and your
code says (sorry, my Fox is rusty; this is in Python):
sql = "select * from users where lastname = '" + txtName.Value + "';"
db_connection.execute(sql)
This would yield the command:
select * from users where lastname = 'Leafe';
...and all would be fine. But imagine if they had typed in: ';drop table users;
--
This would yield:
select * from users where lastname = '';drop table users; --';
This is actually 3 commands: a select for empty last names, followed by a DROP
TABLE command, followed by a comment (lines beginning with two dashes are
comments). This, of course, is pretty disastrous to run.
-- Ed Leafe
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
