You're more than welcome, Mike :)
-----Original Message-----
From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On
Behalf Of Mike Copeland
Sent: Saturday, June 25, 2011 11:08 PM
To: profoxt...@leafe.com
Subject: Re: [NF] Questions on migrating VFP app
Grigore...THAT is a kick-butt high-value tip! MANY thanks!
I have so much to learn...
Mike
> It will also solve another issue - if you have legit data containing
> double quotes, or single quotes, or backslashes (which are treated as
> escape chars in MySQL), the data will be properly stored in server.
> For example, some people store the reports definitions on server;
> users download them and run the reports on-the-fly. This approach
> allows the developer to change the reports definition and the users
> will happily use new reports; no deployment is required. Problem is
> the reports are binary files and contain A LOT of invalid characters
> (from a sql concatenation point of view). But if they're read from
> development machine and sent to server using
>
> lcFrxFile = FileToStr("myreport.frx")
> lcFrtFile = FileToStr("myreport.frt")
> SQLExec(nHandle, "Insert Into ReportsDefinitions (FrxFile, FrtFile)
> Values (?lcFrxFile, ?lcFrtFile)" -- mysql version or Insert Into
> ReportsDefinition (FrxFile, FrtFile) Values (?lcFrxFile,
> ?lcFrtFile) -- VFP version
>
> everything will go smoothly. Bottom line, any binary file (images
> would be another example) can be safely sent to backend.
>
> -----Original Message-----
> From: profoxtech-boun...@leafe.com
> [mailto:profoxtech-boun...@leafe.com] On Behalf Of Mike Copeland
> Sent: Saturday, June 25, 2011 10:49 PM
> To: profoxt...@leafe.com
> Subject: Re: [NF] Questions on migrating VFP app
>
> Wow, if it's that simple (using parameterized queries) then I'm stupid
> lucky...that's how I've done SQL statements for a backend server
> (MYSQL) from day 1.
>
> So just by using parameters (?lcName) instead of string concatenation
> will resolve the problem?
>
> Mike
>
>> That works even in VFP, in a scenario similar to this:
>>
>> The application ask for user and password, then executes a query
>> similar to
>> this:
>>
>> 'SELECT loginfield, passwordfield From users where login=="' + login + '"
>> And Password =="' + password + '"'
>>
>> So far so good. And the user enter this as username:
>>
>> admin"&&
>>
>> Not sure I got the synthax right because I don't have VFP installed
>> to test, but the idea is to use an admin account, then COMMENT the
>> rest of
> the sql.
>> Tally will return 1 and voila, you have an admin logged in. Pretty
>> much similar to this one:
>>
>> Select loginfield, passwordfield From users where login=="admin"&& '"
>> and password = whatever, it doesn't matter - this part is commented
>> out
>>
>> The proper way to do this is to use query parameters:
>>
>> Select loginfield, passwordfield from users where loginfield ==?login
>> and passwordfield==?password
>>
>> This will instruct the backend to use the values as parameters
>> instead concatenating them in the sql, and they will be treated as
literal values.
>>
>> -----Original Message-----
>> From: profoxtech-boun...@leafe.com
>> [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ed Leafe
>> Sent: Saturday, June 25, 2011 10:18 PM
>> To: profoxt...@leafe.com
>> Subject: Re: [NF] Questions on migrating VFP app
>>
>> On Jun 25, 2011, at 2:59 PM, Ken Dibble wrote:
>>
>>> I'm not saying that if you somehow managed to execute an SQL
>>> statement that contained nasty code it wouldn't do damage. I am just
>>> sitting here scratching my head wondering how anybody but a complete
>>> idiot would ever design a user interface that allows somebody to
>>> enter that kind of thing and have it be executable, as opposed to
>>> being treated as
>> data.
>>
>> Users don't enter entire SQL statements; you're right: nobody's that
>> stupid. But they do let them enter values that are then merged with
>> SQL templates in your code and executed.
>>
>> Here's the simplest example: you provide a textbox for the user to
>> type into, and then do string manipulation to create the query. Example:
>> image a 'search by name' textbox that the user types into, and then
>> clicks 'Search'. The app then creates an SQL statement using what the
>> user typed, and executes that to find the matching names. Let's say
>> the user types 'Leafe', and your code says (sorry, my Fox is rusty;
>> this
> is in Python):
>> sql = "select * from users where lastname = '" + txtName.Value + "';"
>> db_connection.execute(sql)
>>
>> This would yield the command:
>>
>> select * from users where lastname = 'Leafe';
>>
>> ...and all would be fine. But imagine if they had typed in: ';drop
>> table users; --
>>
>> This would yield:
>>
>> select * from users where lastname = '';drop table users; --';
>>
>> This is actually 3 commands: a select for empty last names, followed
>> by a DROP TABLE command, followed by a comment (lines beginning with
>> two dashes are comments). This, of course, is pretty disastrous to run.
>>
>>
>> -- Ed Leafe
>>
>>
>>
>>
[excessive quoting removed by server]
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://leafe.com/mailman/listinfo/profox
OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/000401cc3374$4c1e7870$e45b6950$@gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
