Internal security of Rev?

kee nethery kee at kagi.com
Thu Jul 13 15:37:02 EDT 2006


If I were you ... starting from the database working outward:

Build a CGI that talks to your database. Host that CGI on your  
servers. Give it the ability to access your database with a username  
and password that only it knows and give it the ability to execute  
any SQL that makes sense.

Have your app talk to the CGI. Have it log in either with a stored  
password in the app or have the user enter a password that you give  
to them, or both.

Have your app only send requests for SQL to be run. Don't send the  
SQL, send the name of the SQL and the parameters. For example:

SelectGameScores
Team = Dallas
Year = 2006

That gets converted in the CGI into

SQL = "select date,teamA,teamB,scoreA,scoreB from teamScores where  
date >= 'Jan 1, {year}' and date <= 'Dec 31, {year}' and (teamA =  
'{team}' or teamB = '{team}')"

SQL submitted = "select date,teamA,teamB,scoreA,scoreB from  
teamScores where date >= 'Jan 1, 2006' and date <= 'Dec 31, 2006' and  
(teamA = 'Dallas' or teamB = 'Dallas')"

Just make sure you do some validation in the CGI on the parameters  
that come in to prevent SQL injection.

If you do this, it doesn't matter if they can get direct access to  
your CGI, they can only run the SQL you have predefined.

Kee Nethery




More information about the use-livecode mailing list