On 24 Apr 2017, at 2:33am, Keith Medcalf <[email protected]> wrote:
> [history]
That’s very interesting. I’m remembering the first DBMS language I used on
desktop computers rather than mainframes or minis. It was something called
"Q-Pro 4" and included both database commands and user interface commands.
Just as you describe Sybase, there was no opportunity for injection because
there was no way to construct a database command from a string. Variables
could lead only to values for storage and searching, not to entire commands.
The company used Q-Pro 4 for financial programs for years without problems. We
had only one hacking attempt by an employee of one of our customers. It was
initially successful because the database files stored data in a very simple
all-text structure. It was found out because the hacker didn’t update the
accompanying index files and a few days after the hack the program complained
about a corrupt index. Had the hacker known, he could have had the software
update each index file with one simple command for each one, but he didn’t have
the language documentation or take the time to explore how it worked.
Alternatively he could have written a little Q-Pro program to do the updating
instead of (we guessed) using a text editor.
And that, folks, was the beginning of my interest in computer security.
Injection vulnerabilities had to wait for free form English-like database
commands. Not certain when that was. I’m betting that SQL wasn’t the first
language described that way, but I don’t remember what was. Certainly,
problems like
execute ("UPDATE accounts SET phone = '$p'")
$p <-- "5551234"
—> UPDATE accounts SET phone = '5551234'
$p <-- "5551234', balance = '999999.99"
—> UPDATE accounts SET phone = '5551234', balance = '999999.99'
didn’t trouble me until SQL appeared.
Simon.
_______________________________________________
sqlite-users mailing list
[email protected]
http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
