Well I thought I'd resolved this to my own satisfation years ago, bit I
decided to re-visit it -
I couldn't find a way to do SQL injection in FoxPro:
CLEAR
CREATE CURSOR users (user C(5), password c(5))
DISPLAY STRUCTURE
CLEAR
INSERT INTO users values('poo', 'bear')
INSERT INTO users values('meme', 'pass')
INSERT INTO users values('admin', '3j&Kv@')
yuser = 'meme'
ypass = 'pass'
xuser = 'admin &+[& ]'
xpass = 'abcd'
lvar = "Select * From Users where user = '" + xuser + "' And password =
'" + xpass + "'"
lvar2 = "Select * From Users where user = '" + yuser + "' And password =
'" + ypass + "'"
SELECT * FROM users WHERE user = ?yuser AND password = ?ypass
USE IN query
&lvar2
USE IN query
&lvar
? _TALLY && 0
USE IN query
xuser = 'admin .. ]'
&lvar
? _TALLY && 0
USE IN query
xuser = [admin ' &&]
xuser = "admin &' +[&] "
&lvar
? _TALLY && 0
USE IN query
?xuser
xuser = "admin' & +[&] "
?xuser
&lvar
? _TALLY && 0
SELECT * FROM users WHERE user = ?xuser AND password = ?xpass
? _TALLY && 0
USE IN query
CLOSE ALL
CLEAR ALL
So &mySQLstring and ?xvar both seem safe, although ?vars *feel* like
better code. I'm pretty sure they're safe with remote views on rdbms as
well but I don't have one set up to try at the moment.
AndyD 8-)₹
On 19:59, Ken Dibble wrote:
>>> Right, which in turn proves that if you use macro substitution to execute
>>> concatenated SQL statements in VFP, you cannot construct a statement that
>>> can damage your data.<snip>
>>> >"Select * From Users where username = '" + varUsername + "' And password
>>> =
>>> '>" + varPassword + "'"
>>>
>>> Not sure where you're going with that.
>>>
>> Have you even TRIED to run this code?
> <snip>
>
> Select * From Users where username = '" + varUsername + "' And password
> = '" + varPassword + "'"
>
> Assuming correct login and password are supplied, it will return all of the
> fields in the user's account. That's what "SELECT *" does.
> Why would I use
> such a query to log somebody in?
> if _tally = 1 && log 'em in ??
>
>>> When users log into my app, they fill in blanks for username and password,
>>> and the app executes:
>>>
>>> "SELECT userid FROM users WHERE login == '" + mylogin + "' AND password ==
>>> '" + mypassword "'"
>>>
>> EXACTLY my point. Enter [admin '&&] (without square brackets) as username
>> and a random password. ( or any admin user name, I bet your users know the
>> username of their admin)
> <snip>
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
