There are several security systems out there, but if you are talking
about sending variables to a program that interacts with a SQL
database, then expert programmers can already know several things
about how it operates. One attack is to send a variable (eg.
homeAddress1) that actually contains an SQL command instead of a
string (eg. 2347 Main Street), which can play havoc with a data table.
The advantage to using a Rev cgi or and irev script is that the
variables passed into that script can be handled in ways that most SQL
programmers would not understand. Since you are building the SQL
command using scripting language and not something like PHP or PERL,
the odds are extremely low that
-- someone would want to attack you
-- someone would know how
The safest way is to try to detect SQL commands in all of your
variables and simply reject the query.
Of course, if a robotic program finds your url and makes 100 queries
per second, it will overload your server even though it will not
damage your database. If you find such a case, you can block the IP
address using .htaccess [ the cgi or irev script becomes invisible to
that source IP ] or other technique at the server level.
All of this can get quite esoteric if you are worried about attack
from the unknown. However, in a classroom environment, the game is
usually which student can figure out how to break something with a
certain set of facts that give them a head start.
You could always make one of the variables a version number that has
to be correct in order to run the irev script. Change the script
version number, stop the previous users.
Jim Ault
Las Vegas
On Mar 26, 2010, at 12:44 AM, Sarah Reichelt wrote:
On Fri, Mar 26, 2010 at 5:21 PM, Kay C Lan
<lan.kc.macm...@gmail.com> wrote:
Hi Sarah,
but what's stopping me
on mouseUp
put "http://myusername.on-rev.com/readDB.irev"; into tDBdata
-- now display it
end mouseUp
to your account?
Nothing :-)
But you only get the results from my database, you don't get my
password or user name.
I am developing a couple of apps that use this technique. One is a web
app, where web pages query the database and display the data directly,
and another where a standalone app queries the database.
In both cases, there are parameters that have to be sent to make the
database script work correctly so I guess I am relying on the fact
that nobody knows the web address of the irev files that query the
server and after that, nobody knows exactly what parameters to send to
this file to make it return any data.
But this is an interesting discussion and I would love somebody more
knowledgeable than me to weigh in with an expert opinion.
Cheers,
Sarah
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
