Right. I'm your user and I enter "'] as my name. what you gonna do? -----Original Message----- From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Saturday, June 25, 2011 5:34 PM To: profoxt...@leafe.com Subject: Re: [NF] Questions on migrating VFP app
> >How do people login in your applications? > >Find anything by user supplied search via Name. The user would not have the Users table available as an option to search, first of all. My interface only permits searches on certain tables. The user can't cause the system to execute 'SELECT password from users where login = "admin"' and get the results diplayed to him or her. My login process accepts a user name and password and queries the users table to see if there's a match. If there is, the user is logged in. If not, the login is rejected. The query template something like: 'SELECT loginfield, passwordfield from users where login == "' + login + '" AND password == "' + password + '"' IF _TALLY > 0 * User is in and is told as much but the password is not returned to the user ELSE * User is rejected ENDIF The user can only change the values of the login and password variables; nothing else in the statement is user-modifiable. This search expects only character expressions, and the internal code will surround them with delimiters. It is not possible in any of my applications to enter a SQL SELECT command or "special sequence" and have it treated as anything other than data to be found (or not found) in some field. Nothing in any of may applications could ever result in a statement like: SELECT somenastything FROM someothernastything The user never gets to enter any raw content that goes into a SQL command expression--only properly delimited values expected to be found in, or entered into, fields in tables whose names my software strictly controls. The thing I don't get about this is that this is obvious to me, a journeyman database developer, as being the only sane way to allow ordinary users access to data. I do not understand why anybody would do it any other way, and I don't understand how it is possible for very highly paid, supposedly top-of-the-mark programmers to have ever created anything so stupid as to permit this kind of thing to happen. Ken Dibble www.stic-cil.org [excessive quoting removed by server] _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/000101cc3344$fee5d690$fcb183b0$@gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.