I will not insist anymore on this subject. You're defending your approach fiercely and "bending design to use sqlparameters" should be read as "doing it right in the first place". Anyway, good luck duplicating an already existing, fail proof, industry proven code. How would you know you found them all? "&" + "&" can be written in more than one way. "&" + CHR(38) or CHR(38) + "&" or CHR(38) + CHR(38) or whatever. A better approach would be to concatenate first then test for troublesome characters, but in any case, this approach drastically limits the "good" data. What if the username is O'Hara? (yep, I tested first, it will error because there will be an extra single quote). You won't allow that name? What if you have to send binary data and you have a CTRL+Z ascii code in the binary data, which will break your line, thus breaking the SQL command? I could rant on this for days.
But you seem to be happy with your approach so that's good for you. Great. (And that nonsense about enterprise apps being hacked, well, you don't know how they've been hacked. Maybe the hackers had physical access to the database. Maybe they exploited an OS vulnerability. Maybe they exploited a cross-scripting vulnerability. You don't know, you'd better not talk about that.) -----Original Message----- From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Thursday, February 16, 2012 6:33 AM To: profoxt...@leafe.com Subject: Re: [NF] Very strong set of issues in Are You a Bad Programmer. > >All of the examples you've shown me so far rely on the ability to >inject characters that break the line. I've just spent a few hours >searching this topic on Google and I can't find a single example that >doesn't rely on injecting characters that break the line. In that case, >why would not something as simple as this work? > >* Regular expressions would make this easier but I'm no expert on those... >IF (NOT ("&" + "&") $ mylogin) ; > AND (NOT "--" $ mylogin) ; > AND (NOT ";" $ mylogin) && And whatever else you want to test for... > * Concatenate and execute >ELSE > * MESSAGEBOX("Invalid Login.") ENDIF Wouldn't you know, soon after I sent this, I found this one: ' or '1'='1 So the code would have to be mylogin = ALLTRIM(mylogin) mypassword = ALLTRIM(mypassword) IF (NOT ("&" + "&") $ mylogin) ; AND (NOT "--" $ mylogin) ; AND (NOT ";" $ mylogin) ; AND (NOT LEFT(mylogin,1) == "'") ; AND (NOT ("&" + "&") $ mypassword) ; AND (NOT "--" $ mypassword) ; AND (NOT ";" $ mypassword) ; AND (NOT LEFT(mypassword,1) == "'") * Concatenate and execute. ELSE * Invalid input. ENDIF Ken Dibble www.stic-cil.org [excessive quoting removed by server] _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/000001ccec8e$9f44f730$ddcee590$@gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
