Database error?

Peter Haworth pete at lcsql.com
Sat Apr 11 11:27:35 EDT 2015 

Right, but to do that they'd have to know a username/password.

SQL injection attacks alter the SQL statements sent by a valid user so the
attacker doesn't need to know a username/password.

Even more scary is how hackers can get into a system using a "I forgot my
password" form with SQL injection, lots of examples on the web.

On Fri, Apr 10, 2015, 6:52 PM J. Landman Gay <jacque at hyperactivesw.com>
wrote:

> I freeze up with this stuff, just like I do with math. But...but...won't
> an intruder be likely to send their own queries, regardless of how the
> app is doing it? If they include raw values, the database will still
> respond, right? So why would it matter how the app is doing it?
>
> On 4/10/2015 8:36 PM, Peter Haworth wrote:
> > On Fri, Apr 10, 2015 at 6:14 PM, J. Landman Gay <
> jacque at hyperactivesw.com>
> > wrote:
> >
> >> I'm not quite sure what Pete meant by using the variable name option in
> >> the rev database functions though. (I am so not a database person.)
> >
> >
> > Well you opened the door by asking :-)
> >
> > As an example, revDataFromQuery's syntax is
> >
> > revDataFromQuery([*columnDelim*],[*rowDelim*],*databaseID*,*SQLQuery*[,
> > *varsList*])
> >
> > "varslist" is the thing I mentioned.  It allows you have a SELECT
> statement
> > like this:
> >
> > SELECT col1,col2 FROM myTable WHERE col3=:1 AND col4=:2
> >
> > The values for :1 and :2 are supplied in the varslist which can either
> be a
> > comma separated list of simple variable names or a single array variable
> > with, in this case, keys 1 and 2, with the variable names enclosed in
> > quotes.
> >
> > So the revDataFromQuery call would be:
> >
> > put revDataFromQuery(,,gDBID,tSelect,"tValue1",tValue2") into tData
> >
> > OR
> >
> > put revDataFromQuery(,,gDBID,tSelect,"tArray") into tData
> >
> > In addition to preventing SQL injection attacks, this also avoids the
> need
> > to escape troublesome characters like quotes in the data.
> >
> > Pete
> > lcSQL Software <http://www.lcsql.com>
> > Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and
> > SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html>
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
>
>
> --
> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>

More information about the use-livecode mailing list