Database error?

J. Landman Gay jacque at hyperactivesw.com
Sat Apr 11 12:20:47 EDT 2015 

Okay, so it sounds like there's no danger in my case. There's no public facing access, so no way to retrieve a forgotten password. The single set of credentials is hard coded into the app, which is unreadable after it's compiled, and the user doesn't know it. The only way to alter the SQL would be in a man in the middle attack, and if that happened, all they'd get back would be the set of data we don't care about. The database doesn't connect to or access any other files on the server. 

So unless there are SQL commands that can tell the database to access parts of the server that aren't the database, it sounds like the worst that would happen would be the deletion of the data, which isn't critical and is replaced daily anyway. 

Am I on the right track? 

On April 11, 2015 10:27:35 AM CDT, Peter Haworth <pete at lcsql.com> wrote:
>Right, but to do that they'd have to know a username/password.
>
>SQL injection attacks alter the SQL statements sent by a valid user so
>the
>attacker doesn't need to know a username/password.
>
>Even more scary is how hackers can get into a system using a "I forgot
>my
>password" form with SQL injection, lots of examples on the web.
>
>On Fri, Apr 10, 2015, 6:52 PM J. Landman Gay <jacque at hyperactivesw.com>
>wrote:
>
>> I freeze up with this stuff, just like I do with math.
>But...but...won't
>> an intruder be likely to send their own queries, regardless of how
>the
>> app is doing it? If they include raw values, the database will still
>> respond, right? So why would it matter how the app is doing it?
>>
>> On 4/10/2015 8:36 PM, Peter Haworth wrote:
>> > On Fri, Apr 10, 2015 at 6:14 PM, J. Landman Gay <
>> jacque at hyperactivesw.com>
>> > wrote:
>> >
>> >> I'm not quite sure what Pete meant by using the variable name
>option in
>> >> the rev database functions though. (I am so not a database
>person.)
>> >
>> >
>> > Well you opened the door by asking :-)
>> >
>> > As an example, revDataFromQuery's syntax is
>> >
>> >
>revDataFromQuery([*columnDelim*],[*rowDelim*],*databaseID*,*SQLQuery*[,
>> > *varsList*])
>> >
>> > "varslist" is the thing I mentioned.  It allows you have a SELECT
>> statement
>> > like this:
>> >
>> > SELECT col1,col2 FROM myTable WHERE col3=:1 AND col4=:2
>> >
>> > The values for :1 and :2 are supplied in the varslist which can
>either
>> be a
>> > comma separated list of simple variable names or a single array
>variable
>> > with, in this case, keys 1 and 2, with the variable names enclosed
>in
>> > quotes.
>> >
>> > So the revDataFromQuery call would be:
>> >
>> > put revDataFromQuery(,,gDBID,tSelect,"tValue1",tValue2") into tData
>> >
>> > OR
>> >
>> > put revDataFromQuery(,,gDBID,tSelect,"tArray") into tData
>> >
>> > In addition to preventing SQL injection attacks, this also avoids
>the
>> need
>> > to escape troublesome characters like quotes in the data.
>> >
>> > Pete
>> > lcSQL Software <http://www.lcsql.com>
>> > Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html>
>and
>> > SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html>
>> > _______________________________________________
>> > use-livecode mailing list
>> > use-livecode at lists.runrev.com
>> > Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> > http://lists.runrev.com/mailman/listinfo/use-livecode
>> >
>>
>>
>> --
>> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
>> HyperActive Software           |     http://www.hyperactivesw.com
>>
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
>> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
>>
>_______________________________________________
>use-livecode mailing list
>use-livecode at lists.runrev.com
>Please visit this url to subscribe, unsubscribe and manage your
>subscription preferences:
>http://lists.runrev.com/mailman/listinfo/use-livecode

-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com

More information about the use-livecode mailing list