[Gambas-user] Database and SQL code injection

[Benoit Minisini]

Hi,

SQL code injection is a common problem, when SQL commands are not carefully 
written before being sent to the database.

Gambas has database methods than can do automatic string quoting for you, 
which prevents SQL code injection:

DB.Exec("SELECT * FROM UserTable WHERE Login = &1 AND Password = &2", 
TheLogin, ThePassword)

Alas, it does not prevent many users that are not aware of SQL injection from 
doing that:

DB.Exec("SELECT * FROM UserTable WHERE Login = '" & TheLogin & "' AND Password 
='" & ThePassword & "'")

For those who does not know, imagine that ThePassword and TheLogin strings 
come from a web form, and that the user entered the following:

TheLogin: ' OR '' = '
ThePassword: ' OR '' ='

Then the request sent to the database server becomes:

SELECT * FROM UserTable WHERE Login = '' OR '' = '' AND Password = '' OR '' 
= ''

So whatever the operator precedence is, this request is equivalent to:

SELECT * FROM UserTable WHERE True

If this request was the only check, then you was authentified as the first 
user of the database!

When I was in Canada some years ago for my job, there was an Internet access 
in the hotel. This was a PC with Internet Explorer limited to only one web 
site, an official Canada web site for tourism.

There were a login and password fields somewhere in the page. Guess what...

Well, back to Gambas now. I want to go further, by simply rejecting any call 
to Exec(), Find() or Delete(), if the first argument includes some quoting 
characters.

This way, you will be compelled to use the quoting arguments.

What do you think about that?

-- 
Benoit Minisini