Database Input Validation

Pascal Lehner tate83 at gmail.com
Tue Jul 7 04:19:23 EDT 2015


Hi Peter and Bob,

Thanks for your ideas.
I think I found a good way by doing a input check for the user fields on
closeField to avoid totally wrong information and then I will store this
unicode encoded in the database.
This should avoid quite a few problems from the start.

Regards,
Pascal

2015-07-06 22:49 GMT+02:00 Peter Haworth <pete at lcsql.com>:

> Hi Pascal,
> I assume you're referring to SQL injection attacks.
>
> You can avoid them by using the varslist/arrayname parameter of
> revDataFromQuery/revQueryDatabase/revExecute SQL.  See the dictionary for
> more details but it involves using placeholders in your SQL statements and
> loading the values for those placeholders into separate variables or a
> numerically keyed array.
>
> On Mon, Jul 6, 2015 at 1:20 AM Pascal Lehner <tate83 at gmail.com> wrote:
>
> > Hi all,
> >
> > I am working on a desktop app that is running a SQLite database and might
> > well end up as a HTML5 server version with MySQL in the not-so-far
> future.
> > For this I want to have some sort of input validation to avoid security
> and
> > XSS incidents.
> >
> > Does anyone have a library or function to "sanitize" any sql statement
> > before running it against the database? Or how do you do this?
> >
> > Thanks,
> >
> > Pascal
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>



More information about the Use-livecode mailing list