[Gambas-user] Database and SQL code injection
Steven Lobbezoo
steven at ...1652...
Fri Sep 14 12:43:01 CEST 2007
Hi,
My 2 cents :
I think it's impossible to preview all possible SQL syntax rules and scan on
them.
Sometimes statements get really complicated, and are constructed 'on the fly'.
So, PLEASE donnot interfere to much. Just leave, at least exec, up to the
programmer to construct it to his likings.
Steven
Le vendredi 14 septembre 2007 08:21, Benoit Minisini a écrit :
> On vendredi 14 septembre 2007, ron wrote:
> > On Thursday 13 September 2007 23:48, Benoit Minisini wrote:
> > > Well, back to Gambas now. I want to go further, by simply rejecting any
> > > call to Exec(), Find() or Delete(), if the first argument includes some
> > > quoting characters.
> > >
> > > This way, you will be compelled to use the quoting arguments.
> > >
> > > What do you think about that?
> > >
> > > --
> > > Benoit Minisini
> >
> > Proposal is not bad but I prefer a way to bypass all gambas mangeling for
> > using DB.Exec("select concat("today=",`age`,now()) as `age` from
> > `tblBenoit`;")
>
> Wow. What does your request do? :-)
>
> Maybe I should make another method, without the check ?
>
> I notice that I have to allow quoting before operands, but not after. I
> don't know enough SQL for being sure that it won't forbid non dangerous
> expressions in all cases...
More information about the User
mailing list