> Users don't enter entire SQL statements; you're right: nobody's > that stupid. But they do let them enter values that are then merged with > SQL templates in your code and executed. > > Here's the simplest example: you provide a textbox for the user > to type into, and then do string manipulation to create the query. > Example: image a 'search by name' textbox that the user types into, and > then clicks 'Search'. The app then creates an SQL statement using what > the user typed, and executes that to find the matching names. Let's say > the user types 'Leafe', and your code says (sorry, my Fox is rusty; this > is in Python): > >sql = "select * from users where lastname = '" + txtName.Value + "';" >db_connection.execute(sql) > >This would yield the command: > >select * from users where lastname = 'Leafe'; > >...and all would be fine. But imagine if they had typed in: ';drop table >users; -- > >This would yield: > >select * from users where lastname = '';drop table users; --'; > >This is actually 3 commands: a select for empty last names, followed by a >DROP TABLE command, followed by a comment (lines beginning with two dashes >are comments). This, of course, is pretty disastrous to run.
Okay. But that would have never happen in my case because my code detects characters that aren't valid for a search on people's names, tells the user "invalid entry" and stops before any SQL expression gets constructed. An apostrophe not surrounded by alphabetic characters isn't valid, nor is a semicolon. (Semicolon wouldn't work in VFP either; that expression would throw an error--maybe another good reason not to have programming languages whose lines of code end in characters ordinary people can enter on a keyboard...*LOL*) I designed it that way not because I was conscious of security issues, but because it's always been my understanding that user interfaces should be designed to be as helpful as possible and to prevent users from making errors insofar as possible. I'm learning a lot from this discussion. But fumble-fingered typists can come up with all kinds of bizarre results, and it happens all the time. I also don't use delimiters that can be valid portions of data and therefore have to be escaped; it's more work than it needs to be. I don't know why anyone would do that. And I just remain amazed that people whose pay grades and experience are far beyond my own would design interfaces that would let users search a database on non-valid terms for the kind of data they're looking for. Ken www.stic-cil.org _______________________________________________ Post Messages to: [email protected] Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/[email protected] ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
