On 2/25/14 11:39 AM, Buck Calabro wrote:
Seriously, this is called an SQL injection attack. Instead of allowing
the end user to put any free-form text into your WHERE clause, build a
front end where they select the columns and conditions and have your
code construct the WHERE clause.

It occurred to me last night that anybody who would be able to use my current project to get into some other box would also be able to use, say, SQuirreL to do so, and anybody able to use it for same-box access would likely be able to use a STRSQL session as well; either way, they'd have a much easier time conducting an SQL injection through SQuirreL or STRSQL than they would trying to do it through a single field inserted in the WHERE clause of a SELECT.

That said, I also realized that I need to process character string keys quite a bit more than I'm doing: at this point, merely navigating to a record whose keyfield contains a single quote will kill the JVM.

And the simple act of imagining how a prepared statement could possibly be halfway-practical for making SQL mimic the behavior of RLA when absolutely nothing about the file is known at compile-time makes my brain hurt.


This thread ...


Return to Archive home page | Return to MIDRANGE.COM home page