× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



James,

SQL injection only applies to applications that make use of SQL; in what is
supposed to be a limited way by end users.

STRSQL, SQuirreL, Run SQL Scripts are not such apps.




On Wed, Feb 26, 2014 at 11:30 AM, James H. H. Lampert <
jamesl@xxxxxxxxxxxxxxxxx> wrote:

On 2/25/14 11:39 AM, Buck Calabro wrote:
Seriously, this is called an SQL injection attack. Instead of allowing
the end user to put any free-form text into your WHERE clause, build a
front end where they select the columns and conditions and have your
code construct the WHERE clause.

It occurred to me last night that anybody who would be able to use my
current project to get into some other box would also be able to use,
say, SQuirreL to do so, and anybody able to use it for same-box access
would likely be able to use a STRSQL session as well; either way, they'd
have a much easier time conducting an SQL injection through SQuirreL or
STRSQL than they would trying to do it through a single field inserted
in the WHERE clause of a SELECT.

That said, I also realized that I need to process character string keys
quite a bit more than I'm doing: at this point, merely navigating to a
record whose keyfield contains a single quote will kill the JVM.

And the simple act of imagining how a prepared statement could possibly
be halfway-practical for making SQL mimic the behavior of RLA when
absolutely nothing about the file is known at compile-time makes my
brain hurt.

--
JHHL
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...

Follow-Ups:
Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.