revExecuteSQL Security
Peter Haworth
pete at lcsql.com
Wed Nov 12 11:50:51 EST 2014
Hi Dan,
For any calls that access a remote database, you should use the form that
includes ":1", ":2", etc in the SQL statement and variable name(s) to
supply the values for those placeholders.
That protects against SQL injection attacks and also removes the need to
escape quote characters in your data.
Pete
lcSQL Software <http://www.lcsql.com>
Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and
SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html>
On Wed, Nov 12, 2014 at 7:29 AM, Dan Friedman <dan at clearvisiontech.com>
wrote:
> Does anyone know what is going on in the background of LiveCode's
> revExecuteSQL command (and related commands: revOpenDatabase
> revDataFromQuery, etc)? Are there any security features available? Is it
> safe to use these calls (read and write) to a server-side database in a
> commercially released app? Or, is it just really intended for local
> databases?
>
> Thanks!
> -Dan
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
More information about the use-livecode
mailing list