And one more thing: I am still waiting for your answer on this: what your application does if the user wants to search for
"Mom and Pop" shop (double quotes included, because that's the real name of the shop)? I really hope you won't tell me "I do not allow double quotes in the name" or "that will never happen in my system" -----Original Message----- From: profoxtech-boun...@leafe.com [mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble Sent: Sunday, June 26, 2011 6:20 PM To: profoxt...@leafe.com Subject: RE: [NF] Questions on migrating VFP app I think they should put that on the fronts of two railway locomotives and have them crash into each other. A perfect metaphor for what we were talking about. I want to thank everybody who responded. I understand what can happen if bad code gets executed. I'm still scratching my head over why people weren't following what I consider to be a basic principle of user interface design--prevent invalid input--long before this security issue was ever discovered, or indeed before SQL was ever invented. Oh well... Ken Dibble www.stic-cil.org >On the funny side: > >http://www.grigore.dolghin.ro/wp-content/uploads/2011/02/for_traffic_ca >meras >.jpg > >hehehe ;) > >-----Original Message----- >From: profoxtech-boun...@leafe.com >[mailto:profoxtech-boun...@leafe.com] On Behalf Of Ken Dibble >Sent: Saturday, June 25, 2011 11:37 PM >To: profoxt...@leafe.com >Subject: Re: [NF] Questions on migrating VFP app > > > > Users don't enter entire SQL statements; you're right: > > nobody's that stupid. But they do let them enter values that are > > then merged with SQL templates in your code and executed. > > > > Here's the simplest example: you provide a textbox for the > > user to type into, and then do string manipulation to create the query. > > Example: image a 'search by name' textbox that the user types into, > > and then clicks 'Search'. The app then creates an SQL statement > > using what the user typed, and executes that to find the matching names. > > Let's say the user types 'Leafe', and your code says (sorry, my Fox > > is rusty; this is in Python): > > > >sql = "select * from users where lastname = '" + txtName.Value + "';" > >db_connection.execute(sql) > > > >This would yield the command: > > > >select * from users where lastname = 'Leafe'; > > > >...and all would be fine. But imagine if they had typed in: ';drop > >table users; -- > > > >This would yield: > > > >select * from users where lastname = '';drop table users; --'; > > > >This is actually 3 commands: a select for empty last names, followed > >by a DROP TABLE command, followed by a comment (lines beginning with > >two dashes are comments). This, of course, is pretty disastrous to run. > >Okay. But that would have never happen in my case because my code >detects characters that aren't valid for a search on people's names, >tells the user "invalid entry" and stops before any SQL expression gets >constructed. An apostrophe not surrounded by alphabetic characters >isn't valid, nor is a semicolon. (Semicolon wouldn't work in VFP >either; that expression would throw an error--maybe another good reason >not to have programming languages whose lines of code end in characters >ordinary people can enter on a >keyboard...*LOL*) > >I designed it that way not because I was conscious of security issues, >but because it's always been my understanding that user interfaces >should be designed to be as helpful as possible and to prevent users >from making errors insofar as possible. > >I'm learning a lot from this discussion. But fumble-fingered typists >can come up with all kinds of bizarre results, and it happens all the >time. I also don't use delimiters that can be valid portions of data >and therefore have to be escaped; it's more work than it needs to be. I >don't know why anyone would do that. And I just remain amazed that >people whose pay grades and experience are far beyond my own would >design interfaces that would let users search a database on non-valid >terms for the kind of data they're looking for. > >Ken >www.stic-cil.org > > [excessive quoting removed by server] _______________________________________________ Post Messages to: ProFox@leafe.com Subscription Maintenance: http://leafe.com/mailman/listinfo/profox OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech Searchable Archive: http://leafe.com/archives/search/profox This message: http://leafe.com/archives/byMID/profox/000101cc3418$bead4e30$3c07ea90$@gmail.com ** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
