RE: [Flashcoders] LoadVars and SQL Query issue

[Pete Hotchkiss]

Omar

This is the least of your worries  google SQL injection attacks before you 
waste too much more development time trying to resolve this issue.

Pete


-Original Message-
From: [EMAIL PROTECTED] on behalf of Omar Fouad
Sent: Sat 2/2/2008 1:07 AM
To: Flash Coders List
Subject: [Flashcoders] LoadVars and SQL Query issue
 
I am doing an application where I'm writing some classes that sends queries
to a php file by using LoadVars.send().

var toSend:LoadVars = new LoadVars();
var myQuery:String = select * from users where Name = 'Omar Fouad' ;
toSend.query = myQuery; // tracesselect * from users where Name = 'Omar
Fouad'
toSend.send(File.php, _self, POST);

At this phase the php files receive the query and when I echo the query
string appears:

select * from users where Name = \'Omar Fouad\'
That's is how it is sent to the server so of course it shows an SQL error
because of the backslashes. Apparently it does not recognize the String in
the String part of the query that is sent from Flash.

When I send a query for a Number like:

select ^ from users where id = 1

it queries the database without problems.

How can I solve this problem?

Thanks and Regards.

-- 
Omar M. Fouad - Digital Emotions
http://www.omarfouad.net

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] LoadVars and SQL Query issue

[Dave Mennenoh]

You can escape() the string in Flash, then use urldecode() on it in PHP.

Dave -
Head Developer
http://www.blurredistinction.com
Adobe Community Expert
http://www.adobe.com/communities/experts/
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders

Re: [Flashcoders] LoadVars and SQL Query issue

[Juan Pablo Califano]

This isn't a Flash issue really. Depending on the installed version, php 
defaults to a setting called magic quotes. This automatically escapes any 
quotes received by an http request (either post or get methods) with a 
backslash.


http://ar2.php.net/magic_quotes

You can disable that setting or remove the backslashes, check the link for 
more info on that.


On a side note, I'd recommend not to construct the query on the flash side, 
as it's much more problematic, security-wise. What about if someone posts 
delete * from users to File.php?; Yes, you can try and validate the 
querys, but it's already hard to properly validate the parameterized data in 
a pre-build query hardcoded in a php script, let alone validating a whole 
user supplied string as a sql query).



Cheers
Juan Pablo Califano


- Original Message - 
From: Omar Fouad [EMAIL PROTECTED]

To: Flash Coders List flashcoders@chattyfig.figleaf.com
Sent: Friday, February 01, 2008 11:07 PM
Subject: [Flashcoders] LoadVars and SQL Query issue



I am doing an application where I'm writing some classes that sends queries
to a php file by using LoadVars.send().

var toSend:LoadVars = new LoadVars();
var myQuery:String = select * from users where Name = 'Omar Fouad' ;
toSend.query = myQuery; // tracesselect * from users where Name = 
'Omar

Fouad'
toSend.send(File.php, _self, POST);

At this phase the php files receive the query and when I echo the query
string appears:

select * from users where Name = \'Omar Fouad\'
That's is how it is sent to the server so of course it shows an SQL error
because of the backslashes. Apparently it does not recognize the String 
in

the String part of the query that is sent from Flash.

When I send a query for a Number like:

select ^ from users where id = 1

it queries the database without problems.

How can I solve this problem?

Thanks and Regards.

--
Omar M. Fouad - Digital Emotions
http://www.omarfouad.net

This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an
intended recipient then please promptly delete this e-mail and any
attachment and all copies and inform the sender. Thank you.
___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders 


___
Flashcoders mailing list
Flashcoders@chattyfig.figleaf.com
http://chattyfig.figleaf.com/mailman/listinfo/flashcoders