Error: Unable to open the database file
pete at lcsql.com
Thu Apr 7 21:41:39 EDT 2016
Right, I think I have that covered since I prepare and bind the data in
separate steps using the php functions for those purposes.
So instead of assembling a SELECT statement like this:
SELECT col1,col2,col3 FROM table WHERE col4='<data entered by user>'
... and then executing it directly, I prepare this statement:
SELECT col1,col2,col3 FROM table WHERE col4=?
...and then bind the supplied user data to the ? placeholder. Any injected
data for the col4 value is treated as part of the value to be searched for
in col4 rather than an extension of the SELECT statement.
That's why is it is so important to use the variableslist parameter of the
LC DB functions if you are connecting directly to a database server.
At least I think that's how it works....
On Thu, Apr 7, 2016 at 4:31 PM Dr. Hawkins <dochawk at gmail.com> wrote:
> On Wed, Apr 6, 2016 at 1:03 PM, Peter Haworth <pete at lcsql.com> wrote:
> > Now you've got me worried! I had the impression that since the php
> > run on my server and access the mySQL database on the same server, there
> > wouldn't be any sql injection issues, particularly since I never send any
> > SQL statements from my client app to the server.
> In the middle of the text, a user puts something like
> '; || SELECT * FROM fizzbin ;DROP TABLE fizz bin; SELECT '
> I've probably hacked up the syntax, and there might be an intermediate
> query needed to get the table name, but something like this grabs all your
> data and deletes it while you thought you were doing an INSERT or such.
> Dr. Richard E. Hawkins, Esq.
> (702) 508-8462
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
More information about the Use-livecode