Secure way to "disable" SQL injections within LC stack

Bringing the internet highway into your project? Building FTP, HTTP, email, chat or other client solutions?

Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Secure way to "disable" SQL injections within LC stack

Post by teriibi » Mon Feb 12, 2018 2:09 pm

HI,
For a Client/Server DB access, I m about to script "something" to restrict inputs in text fields of an LC card (fname, etc..)
The goal here is to try disabling any SQL injections from peeking users..
Anyone can recommend any (more) secured way other than the LC "Filter" functions ? :idea:
Or thats already the best way to go ? :|

Klaus
Posts: 13793
Joined: Sat Apr 08, 2006 8:41 am
Location: Germany
Contact:

Re: Secure way to "disable" SQL injections within LC stack

Post by Klaus » Mon Feb 12, 2018 2:31 pm

Hola, this is your pathfinder speaking :-)

I think the "placeholder" approach is the way to go.

Check "revExecuteSQL" in the dictionary, scroll down to the "Description", there you will find some examples of how to use the :1, :2 ... thing :-)


Best

Klaus

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Secure way to "disable" SQL injections within LC stack

Post by teriibi » Mon Feb 12, 2018 3:29 pm

Thanks Klaus for opening the way...
Im actually using

Code: Select all

post sentdata to url"https://www.*******
so i dont see how the "revExecuteSQL" can fit in there...
..maybe the "filter" is enough to filter the content ...at time of inputs.

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9801
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Secure way to "disable" SQL injections within LC stack

Post by FourthWorld » Mon Feb 12, 2018 4:04 pm

What is receiving the data on the server, PHP, LC Server, or something else?
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

Klaus
Posts: 13793
Joined: Sat Apr 08, 2006 8:41 am
Location: Germany
Contact:

Re: Secure way to "disable" SQL injections within LC stack

Post by Klaus » Mon Feb 12, 2018 4:39 pm

teriibi wrote:
Mon Feb 12, 2018 3:29 pm
Thanks Klaus for opening the way...
Im actually using

Code: Select all

post sentdata to url"https://www.*******
so i dont see how the "revExecuteSQL" can fit in there...
..maybe the "filter" is enough to filter the content ...at time of inputs.
Oh, sorry, I thought you were talking about database access.
No idea for POSTing things...

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Secure way to "disable" SQL injections within LC stack

Post by teriibi » Mon Feb 12, 2018 8:19 pm

Php is receiving the data.
Though I m investigating so as to restrict data at the very "input time" at the moment...so from Client stack

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9801
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Secure way to "disable" SQL injections within LC stack

Post by FourthWorld » Mon Feb 12, 2018 9:35 pm

Checking inputs at all levels is good. Beyond the LC-based UI, the problem becomes generic to PHP and MySQL - this guide may help:
http://php.net/manual/en/security.datab ... ection.php
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Secure way to "disable" SQL injections within LC stack

Post by teriibi » Mon Feb 12, 2018 9:41 pm

At all level, for sure..thats planned, just trying a "basic insert" prevention from one end of the line 8) ...client stack, which I believe using Characters restriction is a start... :idea:

FourthWorld
VIP Livecode Opensource Backer
VIP Livecode Opensource Backer
Posts: 9801
Joined: Sat Apr 08, 2006 7:05 am
Location: Los Angeles
Contact:

Re: Secure way to "disable" SQL injections within LC stack

Post by FourthWorld » Mon Feb 12, 2018 9:49 pm

teriibi wrote:
Mon Feb 12, 2018 9:41 pm
At all level, for sure..thats planned, just trying a "basic insert" prevention from one end of the line 8) ...client stack, which I believe using Characters restriction is a start... :idea:
It certainly helps.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Secure way to "disable" SQL injections within LC stack

Post by teriibi » Tue Feb 13, 2018 4:05 am

How does one replace or remove any double quote >>> " <<< from a string ? :shock:

Code: Select all

   put replacetext(fld Finput," " "," ") into Text
is not accepted...

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: Secure way to "disable" SQL injections within LC stack

Post by bogs » Tue Feb 13, 2018 5:21 am

Quote is a constant, so perhaps you could try

Code: Select all

replace quote with empty in field "yourField"
*Edit - a bit of advice I was given when I first started, make sure you use " " around your object names, such as in your code example

Code: Select all

(fld Finput," " "," ")
should be

Code: Select all

(fld "Finput"," " "," ")
as missing a set of quotes could really ruin your day.
Image

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Secure way to "disable" SQL injections within LC stack

Post by teriibi » Tue Feb 13, 2018 1:31 pm

Tks Bogs, I was indeed still wondering about that too :) I ll make sure fields are using "".

Now, I tested the use of Quote in the following way:

Code: Select all

 put replaceText(fld "Finput","(quote)",empty) into Textclean
It works fine for ", though I have this problem with the next sentence where it also removes
full necessary words, not just symbols.
Original text:
Get rid of SYMBOLS """ BUT not the Quote WORD
Cleaned text:
Get rid of SYMBOLS BUT not the WORD
...which also removed a non targeted Quote (word) :shock:

I couldnt use the "replace quote.." you mentioned above yet
Do you think it will just clean symbols only ", and not full words ?

What syntax would target only symbols ?

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Secure way to "disable" SQL injections within LC stack

Post by teriibi » Tue Feb 13, 2018 1:49 pm

solved !
I ve found this that only removes " symbols....

Code: Select all

   put replaceText(fld "Finput","(ASCII 34).",empty) into Textclean
:wink: :!:
hopes it would work on all Oses...

bogs
Posts: 5435
Joined: Sat Feb 25, 2017 10:45 pm

Re: Secure way to "disable" SQL injections within LC stack

Post by bogs » Tue Feb 13, 2018 2:38 pm

teriibi wrote:
Tue Feb 13, 2018 1:31 pm
I ll make sure fields are using "".
Well, not just fields, any object, buttons, fields, players, images, etc. For a (relatively) long time, I was writing them as you did here, despite seeing them all over the place with quotes around the name, because it seemed to work.

The problem I think is that Lc's auto-magic resolution of what you type could run you afoul if your not specific, so it may take your object name and turn it into a variable, for instance. The engine also has to put in more time I think it was explained to me, tracking it down to see if it's guessing is correct? It was something like that.

*Edit - I found that explanation I was talking about -
jacque wrote:
Sat Mar 04, 2017 9:03 pm
I haven't ever seen a problem with object names like you describe, so I'm not sure what's going on there. I don't use the same conventions though, so you might try changing the prefixes to see if that matters.

All object names should be enclosed in double quotes. If they aren't, LC will do its best to see if there is an object with that name, but it introduces ambiguity and sometimes it will fail. If there are no quotes, the engine has to scan every control looking for a match, which is slower. But more importantly, if an object name is a reserved word you will get unexpected results.

Rule of thumb is to always quote literals and control names in scripts.
... so, it is just a better habit, as well as helping the readability of your code, to quote object names, i.e.
button "Ok", field "myField", player "hookeyLau", etc.
I couldnt use the "replace quote.." you mentioned above yet
Do you think it will just clean symbols only ", and not full words ?
I tested it the way I wrote it, here are the before and after shots.
Selection_003.png
Before
Selection_003.png (6.17 KiB) Viewed 7780 times
Selection_004.png
After
Selection_004.png (23.72 KiB) Viewed 7780 times
Last edited by bogs on Tue Feb 13, 2018 2:59 pm, edited 1 time in total.
Image

teriibi
Posts: 254
Joined: Mon Nov 13, 2017 3:49 pm
Location: Bolivia

Re: Secure way to "disable" SQL injections within LC stack

Post by teriibi » Tue Feb 13, 2018 2:51 pm

Right that works too and is even simpler...I guess I was trying to use "into" instead of "in". :!: :!:
Tks, for the "" tips on all objects not just fld !
:wink:

Post Reply

Return to “Internet”