Database Input Validation

Peter Haworth pete at lcsql.com
Tue Jul 7 18:24:21 CEST 2015


Hi Pascal,
Sounds like I may have misunderstood your original question.

I'm a firm believer in putting data validation functionality into your
database schema.  There are several SQL DDL features that allow you to do
that and several advantages to having the database handle it for you
instead of writing your own code.  A couple of weeks ago, I did a webinar
as part of the Create It With Livecode program that included information
about this.  You can get the presentation slides at my web site
www.lcsql.com on the Free Stuff page.

On Tue, Jul 7, 2015 at 1:20 AM Pascal Lehner <tate83 at gmail.com> wrote:

> Hi Peter and Bob,
>
> Thanks for your ideas.
> I think I found a good way by doing a input check for the user fields on
> closeField to avoid totally wrong information and then I will store this
> unicode encoded in the database.
> This should avoid quite a few problems from the start.
>
> Regards,
> Pascal
>
> 2015-07-06 22:49 GMT+02:00 Peter Haworth <pete at lcsql.com>:
>
> > Hi Pascal,
> > I assume you're referring to SQL injection attacks.
> >
> > You can avoid them by using the varslist/arrayname parameter of
> > revDataFromQuery/revQueryDatabase/revExecute SQL.  See the dictionary for
> > more details but it involves using placeholders in your SQL statements
> and
> > loading the values for those placeholders into separate variables or a
> > numerically keyed array.
> >
> > On Mon, Jul 6, 2015 at 1:20 AM Pascal Lehner <tate83 at gmail.com> wrote:
> >
> > > Hi all,
> > >
> > > I am working on a desktop app that is running a SQLite database and
> might
> > > well end up as a HTML5 server version with MySQL in the not-so-far
> > future.
> > > For this I want to have some sort of input validation to avoid security
> > and
> > > XSS incidents.
> > >
> > > Does anyone have a library or function to "sanitize" any sql statement
> > > before running it against the database? Or how do you do this?
> > >
> > > Thanks,
> > >
> > > Pascal
> > > _______________________________________________
> > > use-livecode mailing list
> > > use-livecode at lists.runrev.com
> > > Please visit this url to subscribe, unsubscribe and manage your
> > > subscription preferences:
> > > http://lists.runrev.com/mailman/listinfo/use-livecode
> > >
> > _______________________________________________
> > use-livecode mailing list
> > use-livecode at lists.runrev.com
> > Please visit this url to subscribe, unsubscribe and manage your
> > subscription preferences:
> > http://lists.runrev.com/mailman/listinfo/use-livecode
> >
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode
>


More information about the use-livecode mailing list