Why you should sanitize input data

kee nethery kee.nethery at elloco.com
Mon Jul 16 14:50:24 EDT 2018

We had a system interface between a public web server and a SQL database that ran pre-formed SQL commands.

The table was specified, the variables were typed, the output was processed by XSLT, etc. 

The public server called a function that included the variables and got back whatever the XSLT produced. Each variable was checked to make sure it conformed to the type of data that variable could contain. Integer, Float, String, Boolean, etc. Strings were not allowed to have quotes in them, and some strings were optionally length limited.

We had a SQL table with these canned queries and an internal interface for building them. Each command also had a sample output so that if someone was using the command as part of a test, it would reply with the desired test data and not actually affect the SQL database.

SQL injection is just amazing to watch. Once saw a demonstration of a bank in India. In the login, they added SQL to the password field and got back a list of all the tables in the database. Very scary.


> On Jul 15, 2018, at 2:31 PM, J. Landman Gay via use-livecode <use-livecode at lists.runrev.com> wrote:
> I suspect the paranoid among us already know this, but I didn't realize it was quite so easy:
> https://null-byte.wonderhowto.com/how-to/use-command-injection-pop-reverse-shell-web-server-0185760/
> -- 
> Jacqueline Landman Gay         |     jacque at hyperactivesw.com
> HyperActive Software           |     http://www.hyperactivesw.com
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list