Right. I'm your user and I enter "'] as my name. what you gonna do?
-----Original Message-----
From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On
Behalf Of Ken Dibble
Sent: Saturday, June 25, 2011 5:34 PM
To: profoxt...@leafe.com
Subject: Re: [NF] Questions on migrating VFP app
>
>How do people login in your applications?
>
>Find anything by user supplied search via Name.
The user would not have the Users table available as an option to search,
first of all. My interface only permits searches on certain tables. The user
can't cause the system to execute 'SELECT password from users where login =
"admin"' and get the results diplayed to him or her.
My login process accepts a user name and password and queries the users
table to see if there's a match. If there is, the user is logged in. If not,
the login is rejected.
The query template something like:
'SELECT loginfield, passwordfield from users where login == "' + login + '"
AND password == "' + password + '"'
IF _TALLY > 0
* User is in and is told as much but the password is not returned to the
user ELSE
* User is rejected
ENDIF
The user can only change the values of the login and password variables;
nothing else in the statement is user-modifiable.
This search expects only character expressions, and the internal code will
surround them with delimiters. It is not possible in any of my applications
to enter a SQL SELECT command or "special sequence" and have it treated as
anything other than data to be found (or not found) in some field.
Nothing in any of may applications could ever result in a statement like:
SELECT somenastything FROM someothernastything
The user never gets to enter any raw content that goes into a SQL command
expression--only properly delimited values expected to be found in, or
entered into, fields in tables whose names my software strictly controls.
The thing I don't get about this is that this is obvious to me, a journeyman
database developer, as being the only sane way to allow ordinary users
access to data. I do not understand why anybody would do it any other way,
and I don't understand how it is possible for very highly paid, supposedly
top-of-the-mark programmers to have ever created anything so stupid as to
permit this kind of thing to happen.
Ken Dibble
www.stic-cil.org
[excessive quoting removed by server]
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/000101cc3344$fee5d690$fcb183b0$@gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
