[Gambas-user] Database and SQL code injection
Gareth Bult
gareth at ...1689...
Fri Sep 14 10:12:14 CEST 2007
Hi,
I think more generic routines with additional error checking are generally a good idea.
Just as a matter of interest, my first month of using Gambas was based exclusively on "Exec", simply because my approach to the documentation didn't actually lead me to "know" about the use of "&1 &2" parameter substitution .. (!)
If you're looking for new features, the ability to supply a "SORT" option to "Find"/"Edit" would be really nice .. I tend to use "Exec" all the time as I rarely work with unsorted tables (GridEditor!) ... whereas it would be nice to write code that wasn't reliant on MySQL.
Gareth.
--
Managing Director, Encryptec Limited
Tel: 0845 25 77033, Mob: 07891 389657
Email: gareth at ...1689...
Statements made are at all times subject to Encryptec's Terms and Conditions of Business, which are available upon request.
----- Original Message -----
From: "Benoit Minisini" <gambas at ...1...>
To: "mailing list for gambas users" <gambas-user at lists.sourceforge.net>
Sent: Friday, September 14, 2007 7:21:25 AM (GMT) Europe/London
Subject: Re: [Gambas-user] Database and SQL code injection
On vendredi 14 septembre 2007, ron wrote:
> On Thursday 13 September 2007 23:48, Benoit Minisini wrote:
> > Well, back to Gambas now. I want to go further, by simply rejecting any
> > call to Exec(), Find() or Delete(), if the first argument includes some
> > quoting characters.
> >
> > This way, you will be compelled to use the quoting arguments.
> >
> > What do you think about that?
> >
> > --
> > Benoit Minisini
>
> Proposal is not bad but I prefer a way to bypass all gambas mangeling for
> using DB.Exec("select concat("today=",`age`,now()) as `age` from
> `tblBenoit`;")
>
Wow. What does your request do? :-)
Maybe I should make another method, without the check ?
I notice that I have to allow quoting before operands, but not after. I don't
know enough SQL for being sure that it won't forbid non dangerous expressions
in all cases...
--
Benoit Minisini
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Gambas-user mailing list
Gambas-user at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gambas-user
More information about the User
mailing list