If there's no sensitive data, and the db credentials aren't used for any other databases and/or user logins, I'd say you're OK.
Pete lcSQL Software <http://www.lcsql.com> Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html> On Sat, Apr 11, 2015 at 9:20 AM, J. Landman Gay <jac...@hyperactivesw.com> wrote: > Okay, so it sounds like there's no danger in my case. There's no public > facing access, so no way to retrieve a forgotten password. The single set > of credentials is hard coded into the app, which is unreadable after it's > compiled, and the user doesn't know it. The only way to alter the SQL would > be in a man in the middle attack, and if that happened, all they'd get back > would be the set of data we don't care about. The database doesn't connect > to or access any other files on the server. > > So unless there are SQL commands that can tell the database to access > parts of the server that aren't the database, it sounds like the worst that > would happen would be the deletion of the data, which isn't critical and is > replaced daily anyway. > > Am I on the right track? > > On April 11, 2015 10:27:35 AM CDT, Peter Haworth <p...@lcsql.com> wrote: > >Right, but to do that they'd have to know a username/password. > > > >SQL injection attacks alter the SQL statements sent by a valid user so > >the > >attacker doesn't need to know a username/password. > > > >Even more scary is how hackers can get into a system using a "I forgot > >my > >password" form with SQL injection, lots of examples on the web. > > > >On Fri, Apr 10, 2015, 6:52 PM J. Landman Gay <jac...@hyperactivesw.com> > >wrote: > > > >> I freeze up with this stuff, just like I do with math. > >But...but...won't > >> an intruder be likely to send their own queries, regardless of how > >the > >> app is doing it? If they include raw values, the database will still > >> respond, right? So why would it matter how the app is doing it? > >> > >> On 4/10/2015 8:36 PM, Peter Haworth wrote: > >> > On Fri, Apr 10, 2015 at 6:14 PM, J. Landman Gay < > >> jac...@hyperactivesw.com> > >> > wrote: > >> > > >> >> I'm not quite sure what Pete meant by using the variable name > >option in > >> >> the rev database functions though. (I am so not a database > >person.) > >> > > >> > > >> > Well you opened the door by asking :-) > >> > > >> > As an example, revDataFromQuery's syntax is > >> > > >> > > >revDataFromQuery([*columnDelim*],[*rowDelim*],*databaseID*,*SQLQuery*[, > >> > *varsList*]) > >> > > >> > "varslist" is the thing I mentioned. It allows you have a SELECT > >> statement > >> > like this: > >> > > >> > SELECT col1,col2 FROM myTable WHERE col3=:1 AND col4=:2 > >> > > >> > The values for :1 and :2 are supplied in the varslist which can > >either > >> be a > >> > comma separated list of simple variable names or a single array > >variable > >> > with, in this case, keys 1 and 2, with the variable names enclosed > >in > >> > quotes. > >> > > >> > So the revDataFromQuery call would be: > >> > > >> > put revDataFromQuery(,,gDBID,tSelect,"tValue1",tValue2") into tData > >> > > >> > OR > >> > > >> > put revDataFromQuery(,,gDBID,tSelect,"tArray") into tData > >> > > >> > In addition to preventing SQL injection attacks, this also avoids > >the > >> need > >> > to escape troublesome characters like quotes in the data. > >> > > >> > Pete > >> > lcSQL Software <http://www.lcsql.com> > >> > Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> > >and > >> > SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html> > >> > _______________________________________________ > >> > use-livecode mailing list > >> > use-livecode@lists.runrev.com > >> > Please visit this url to subscribe, unsubscribe and manage your > >> subscription preferences: > >> > http://lists.runrev.com/mailman/listinfo/use-livecode > >> > > >> > >> > >> -- > >> Jacqueline Landman Gay | jac...@hyperactivesw.com > >> HyperActive Software | http://www.hyperactivesw.com > >> > >> _______________________________________________ > >> use-livecode mailing list > >> use-livecode@lists.runrev.com > >> Please visit this url to subscribe, unsubscribe and manage your > >> subscription preferences: > >> http://lists.runrev.com/mailman/listinfo/use-livecode > >> > >_______________________________________________ > >use-livecode mailing list > >use-livecode@lists.runrev.com > >Please visit this url to subscribe, unsubscribe and manage your > >subscription preferences: > >http://lists.runrev.com/mailman/listinfo/use-livecode > > -- > Jacqueline Landman Gay | jac...@hyperactivesw.com > HyperActive Software | http://www.hyperactivesw.com > > _______________________________________________ > use-livecode mailing list > use-livecode@lists.runrev.com > Please visit this url to subscribe, unsubscribe and manage your > subscription preferences: > http://lists.runrev.com/mailman/listinfo/use-livecode > _______________________________________________ use-livecode mailing list use-livecode@lists.runrev.com Please visit this url to subscribe, unsubscribe and manage your subscription preferences: http://lists.runrev.com/mailman/listinfo/use-livecode
