That works even in VFP, in a scenario similar to this: The application ask for user and password, then executes a query similar to this:
'SELECT loginfield, passwordfield From users where login=="' + login + '" And Password =="' + password + '"' So far so good. And the user enter this as username: admin" && Not sure I got the synthax right because I don't have VFP installed to test, but the idea is to use an admin account, then COMMENT the rest of the sql. Tally will return 1 and voila, you have an admin logged in. Pretty much similar to this one: Select loginfield, passwordfield From users where login=="admin" && '" and password = whatever, it doesn't matter - this part is commented out The proper way to do this is to use query parameters: Select loginfield, passwordfield from users where loginfield ==?login and passwordfield==?password This will instruct the backend to use the values as parameters instead concatenating them in the sql, and they will be treated as literal values. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ed Leafe Sent: Saturday, June 25, 2011 10:18 PM To: [email protected] Subject: Re: [NF] Questions on migrating VFP app On Jun 25, 2011, at 2:59 PM, Ken Dibble wrote: > I'm not saying that if you somehow managed to execute an SQL statement > that contained nasty code it wouldn't do damage. I am just sitting > here scratching my head wondering how anybody but a complete idiot > would ever design a user interface that allows somebody to enter that > kind of thing and have it be executable, as opposed to being treated as data. Users don't enter entire SQL statements; you're right: nobody's that stupid. But they do let them enter values that are then merged with SQL templates in your code and executed. Here's the simplest example: you provide a textbox for the user to type into, and then do string manipulation to create the query. Example: image a 'search by name' textbox that the user types into, and then clicks 'Search'. The app then creates an SQL statement using what the user typed, and executes that to find the matching names. Let's say the user types 'Leafe', and your code says (sorry, my Fox is rusty; this is in Python): sql = "select * from users where lastname = '" + txtName.Value + "';" db_connection.execute(sql) This would yield the command: select * from users where lastname = 'Leafe'; ...and all would be fine. But imagine if they had typed in: ';drop table users; -- This would yield: select * from users where lastname = '';drop table users; --'; This is actually 3 commands: a select for empty last names, followed by a DROP TABLE command, followed by a comment (lines beginning with two dashes are comments). This, of course, is pretty disastrous to run. -- Ed Leafe [excessive quoting removed by server] _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
