Database error?

Peter Haworth pete at lcsql.com
Sat Apr 11 12:33:59 EDT 2015


If there's no sensitive data, and the db credentials aren't used for any
other databases and/or user logins, I'd say you're OK.


Pete
lcSQL Software <http://www.lcsql.com>
Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html> and
SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html>

On Sat, Apr 11, 2015 at 9:20 AM, J. Landman Gay <jacque at hyperactivesw.com>
wrote:

> Okay, so it sounds like there's no danger in my case. There's no public
> facing access, so no way to retrieve a forgotten password. The single set
> of credentials is hard coded into the app, which is unreadable after it's
> compiled, and the user doesn't know it. The only way to alter the SQL would
> be in a man in the middle attack, and if that happened, all they'd get back
> would be the set of data we don't care about. The database doesn't connect
> to or access any other files on the server.
>
> So unless there are SQL commands that can tell the database to access
> parts of the server that aren't the database, it sounds like the worst that
> would happen would be the deletion of the data, which isn't critical and is
> replaced daily anyway.
>
> Am I on the right track?
>
> On April 11, 2015 10:27:35 AM CDT, Peter Haworth <pete at lcsql.com> wrote:
> >Right, but to do that they'd have to know a username/password.
> >
> >SQL injection attacks alter the SQL statements sent by a valid user so
> >the
> >attacker doesn't need to know a username/password.
> >
> >Even more scary is how hackers can get into a system using a "I forgot
> >my
> >password" form with SQL injection, lots of examples on the web.
> >
> >On Fri, Apr 10, 2015, 6:52 PM J. Landman Gay <jacque at hyperactivesw.com>
> >wrote:
> >
> >> I freeze up with this stuff, just like I do with math.
> >But...but...won't
> >> an intruder be likely to send their own queries, regardless of how
> >the
> >> app is doing it? If they include raw values, the database will still
> >> respond, right? So why would it matter how the app is doing it?
> >>
> >> On 4/10/2015 8:36 PM, Peter Haworth wrote:
> >> > On Fri, Apr 10, 2015 at 6:14 PM, J. Landman Gay <
> >> jacque at hyperactivesw.com>
> >> > wrote:
> >> >
> >> >> I'm not quite sure what Pete meant by using the variable name
> >option in
> >> >> the rev database functions though. (I am so not a database
> >person.)
> >> >
> >> >
> >> > Well you opened the door by asking :-)
> >> >
> >> > As an example, revDataFromQuery's syntax is
> >> >
> >> >
> >revDataFromQuery([*columnDelim*],[*rowDelim*],*databaseID*,*SQLQuery*[,
> >> > *varsList*])
> >> >
> >> > "varslist" is the thing I mentioned.  It allows you have a SELECT
> >> statement
> >> > like this:
> >> >
> >> > SELECT col1,col2 FROM myTable WHERE col3=:1 AND col4=:2
> >> >
> >> > The values for :1 and :2 are supplied in the varslist which can
> >either
> >> be a
> >> > comma separated list of simple variable names or a single array
> >variable
> >> > with, in this case, keys 1 and 2, with the variable names enclosed
> >in
> >> > quotes.
> >> >
> >> > So the revDataFromQuery call would be:
> >> >
> >> > put revDataFromQuery(,,gDBID,tSelect,"tValue1",tValue2") into tData
> >> >
> >> > OR
> >> >
> >> > put revDataFromQuery(,,gDBID,tSelect,"tArray") into tData
> >> >
> >> > In addition to preventing SQL injection attacks, this also avoids
> >the
> >> need
> >> > to escape troublesome characters like quotes in the data.
> >> >
> >> > Pete
> >> > lcSQL Software <http://www.lcsql.com>
> >> > Home of lcStackBrowser <http://www.lcsql.com/lcstackbrowser.html>
> >and
> >> > SQLiteAdmin <http://www.lcsql.com/sqliteadmin.html>
> >> > _______________________________________________
> >> > use-livecode mailing list
> >> > use-livecode at lists.runrev.com
> >> > Please visit this url to subscribe, unsubscribe and manage your
> >> subscription preferences:
> >> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >> >
> >>
> >>
> >> --
> >> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
> >> HyperActive Software           |     http://www.hyperactivesw.com
> >>
> >> _______________________________________________
> >> use-livecode mailing list
> >> use-livecode at lists.runrev.com
> >> Please visit this url to subscribe, unsubscribe and manage your
> >> subscription preferences:
> >> http://lists.runrev.com/mailman/listinfo/use-livecode
> >>
> >_______________________________________________
> >use-livecode mailing list
> >use-livecode at lists.runrev.com
> >Please visit this url to subscribe, unsubscribe and manage your
> >subscription preferences:
> >http://lists.runrev.com/mailman/listinfo/use-livecode
>
> --
> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
>
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



More information about the use-livecode mailing list