Database Input Validation
Pascal Lehner
tate83 at gmail.com
Tue Jul 7 04:19:23 EDT 2015
Hi Peter and Bob,
Thanks for your ideas.
I think I found a good way by doing a input check for the user fields on
closeField to avoid totally wrong information and then I will store this
unicode encoded in the database.
This should avoid quite a few problems from the start.
Regards,
Pascal
2015-07-06 22:49 GMT+02:00 Peter Haworth <pete at lcsql.com>:
> Hi Pascal,
> I assume you're referring to SQL injection attacks.
>
> You can avoid them by using the varslist/arrayname parameter of
> revDataFromQuery/revQueryDatabase/revExecute SQL. See the dictionary for
> more details but it involves using placeholders in your SQL statements and
> loading the values for those placeholders into separate variables or a
> numerically keyed array.
>
> On Mon, Jul 6, 2015 at 1:20 AM Pascal Lehner <tate83 at gmail.com> wrote:
>
> > Hi all,
> >
> > I am working on a desktop app that is running a SQLite database and might
> > well end up as a HTML5 server version with MySQL in the not-so-far
> future.
> > For this I want to have some sort of input validation to avoid security
> and
> > XSS incidents.
> >
> > Does anyone have a library or function to "sanitize" any sql statement
> > before running it against the database? Or how do you do this?
> >
> > Thanks,
> >
> > Pascal
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>
More information about the use-livecode
mailing list