Connecting Rev stack to On-Rev mySQL DB?

Jim Ault jimaultwins at yahoo.com
Fri Mar 26 04:23:57 EDT 2010 

There are several security systems out there, but if you are talking  
about sending variables to a program that interacts with a SQL  
database, then expert programmers can already know several things  
about how it operates.  One attack is to send a variable (eg.  
homeAddress1) that actually contains an SQL command instead of a  
string (eg. 2347 Main Street), which can play havoc with a data table.

The advantage to using a Rev cgi or and irev script is that the  
variables passed into that script can be handled in ways that most SQL  
programmers would not understand.  Since you are building the SQL  
command using scripting language and not something like PHP or PERL,  
the odds are extremely low that
-- someone would want to attack you
-- someone would know how

The safest way is to try to detect SQL commands in all of your  
variables and simply reject the query.
Of course, if a robotic program finds your url and makes 100 queries  
per second, it will overload your server even though it will not  
damage your database.  If you find such a case, you can block the IP  
address using .htaccess [ the cgi or irev script becomes invisible to  
that source IP ] or other technique at the server level.

All of this can get quite esoteric if you are worried about attack  
from the unknown.  However, in a classroom environment, the game is  
usually which student can figure out how to break something with a  
certain set of facts that give them a head start.

You could always make one of the variables a version number that has  
to be correct in order to run the irev script.  Change the script  
version number, stop the previous users.


Jim Ault
Las Vegas



On Mar 26, 2010, at 12:44 AM, Sarah Reichelt wrote:

> On Fri, Mar 26, 2010 at 5:21 PM, Kay C Lan  
> <lan.kc.macmail at gmail.com> wrote:
>> Hi Sarah,
>>
>> but what's stopping me
>>
>> on mouseUp
>>  put "http://myusername.on-rev.com/readDB.irev" into tDBdata
>>  -- now display it
>> end mouseUp
>>
>> to your account?
>
>
> Nothing :-)
>
> But you only get the results from my database, you don't get my
> password or user name.
> I am developing a couple of apps that use this technique. One is a web
> app, where web pages query the database and display the data directly,
> and another where a standalone app queries the database.
>
> In both cases, there are parameters that have to be sent to make the
> database script work correctly so I guess I am relying on the fact
> that nobody knows the web address of the irev files that query the
> server and after that, nobody knows exactly what parameters to send to
> this file to make it return any data.
>
> But this is an interesting discussion and I would love somebody more
> knowledgeable than me to weigh in with an expert opinion.
>
> Cheers,
> Sarah

More information about the use-livecode mailing list