[On-Rev] Using Shell to Manipulate SQL

Bob Sneidar bobs at twft.com
Mon Aug 15 13:56:36 EDT 2011 

If you are going to supply the functionality in your application of creating a new schema, you will need to get the user to supply credentials with create privileges for the database. Using root in a shell will not get you around this. Use "CREATE SCHEMA IF NOT EXISTS <db_name>" and once you have your schema, set your tables up using standard "CREATE TABLE IF NOT EXISTS <tbl_name>" calls. If you do not have root access to the database, or a login that has create schema and table permissions, then I am afraid you will be out of luck. If you do have them, then it won't help to use shell over the prescribed method. 

I have thought a bit about this in the past, because to make a real software installer for software that depends on SQL, where you do not have access or full control of the host server, you are going to have to get the user to supply the credentials. Unfortunately (and thankfully) there is no way around this, whether or not you use shell. 

Bob


On Aug 14, 2011, at 12:52 AM, Andre Garzia wrote:

> Andrew,
> 
> This is a quick email typed on a phone on an aiport so forgive me for not
> going to deep.
> 
> Basically : don't do it!!!!!
> 
> The dangers are too big. You should avoid using shell() with anything that
> comes from user input.
> 
> If the user chooses a username such as:
> 
> " && rm -rf *
> 
> And this, in a very unlucky day, is not detected by your security filters
> and this ends up in a shell() call, all your files are gone.
> 
> Shell calls are very powerful and just like uncle ben said: "with great
> power comes great GREAT HACKING ENTRY POINTS AND SCRIPT INJECTION ".
> 
> You should only use them with strings that have no part computed from third
> parties.
> 
> Cheers
> 
> --
> enviado do meu Nexus S - android is freedom.
> http://andregarzia.com :: all we do is code
> http://fon.nu :: minimalist url shortening
> Em 09/08/2011 04:09, "Andrew Kluthe" <andrew at rjdfarm.com> escreveu:
>> Here is another thing I am wondering about this evening.
>> 
>> I am curious as to how much power the Shell() function in an On-Rev
>> configuration is. I'd like to create mySQL databases & users on the fly.
>> 
>> I know the shell() function can run commands for you, but do you think I
>> will be able to create mysql databases and users as root?
>> 
>> 
>> Has anyone tried this?
>> 
>> Thanks,
>> 
>> Andrew
>> _______________________________________________
>> use-livecode mailing list
>> use-livecode at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
>> http://lists.runrev.com/mailman/listinfo/use-livecode
> _______________________________________________
> use-livecode mailing list
> use-livecode at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-livecode

More information about the use-livecode mailing list