Database Input Validation

Bob Sneidar bobsneidar at iotecdigital.com
Mon Jul 6 16:13:04 EDT 2015


Sorry try/catch is not a loop. :-)

Bob S


> On Jul 6, 2015, at 13:12 , Bob Sneidar <bobsneidar at iotecdigital.com> wrote:
> 
> One way I used in the past was to get the schema of the table, and for each column I would be updating I would check type, length, limits etc. to make sure my data fell within the constraints of the column. Another way involves using the error messages SQL sends back when a query fails to determine what went wrong, and then alert the end user about what they need to do to fix it. To do this, you would put your insert/updates into try/catch loops and in the catch section call some command you write passing it the first parameter from the catch section. i.e.
> 
> try
>  <some sql here>
> catch theError
>  processSQLError theError
> end try
> 
> Bob S
> 
> 
>> On Jul 6, 2015, at 01:19 , Pascal Lehner <tate83 at gmail.com> wrote:
>> 
>> Hi all,
>> 
>> I am working on a desktop app that is running a SQLite database and might
>> well end up as a HTML5 server version with MySQL in the not-so-far future.
>> For this I want to have some sort of input validation to avoid security and
>> XSS incidents.
>> 
>> Does anyone have a library or function to "sanitize" any sql statement
>> before running it against the database? Or how do you do this?
>> 
>> Thanks,
>> 
>> Pascal
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> 





More information about the use-livecode mailing list