Secure way to "disable" SQL injections within LC stack
Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller
Secure way to "disable" SQL injections within LC stack
HI,
For a Client/Server DB access, I m about to script "something" to restrict inputs in text fields of an LC card (fname, etc..)
The goal here is to try disabling any SQL injections from peeking users..
Anyone can recommend any (more) secured way other than the LC "Filter" functions ?
Or thats already the best way to go ?
For a Client/Server DB access, I m about to script "something" to restrict inputs in text fields of an LC card (fname, etc..)
The goal here is to try disabling any SQL injections from peeking users..
Anyone can recommend any (more) secured way other than the LC "Filter" functions ?
Or thats already the best way to go ?
Re: Secure way to "disable" SQL injections within LC stack
Hola, this is your pathfinder speaking
I think the "placeholder" approach is the way to go.
Check "revExecuteSQL" in the dictionary, scroll down to the "Description", there you will find some examples of how to use the :1, :2 ... thing
Best
Klaus
I think the "placeholder" approach is the way to go.
Check "revExecuteSQL" in the dictionary, scroll down to the "Description", there you will find some examples of how to use the :1, :2 ... thing
Best
Klaus
Re: Secure way to "disable" SQL injections within LC stack
Thanks Klaus for opening the way...
Im actually using
so i dont see how the "revExecuteSQL" can fit in there...
..maybe the "filter" is enough to filter the content ...at time of inputs.
Im actually using
Code: Select all
post sentdata to url"https://www.*******
..maybe the "filter" is enough to filter the content ...at time of inputs.
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Secure way to "disable" SQL injections within LC stack
What is receiving the data on the server, PHP, LC Server, or something else?
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Secure way to "disable" SQL injections within LC stack
Oh, sorry, I thought you were talking about database access.teriibi wrote: ↑Mon Feb 12, 2018 3:29 pmThanks Klaus for opening the way...
Im actually usingso i dont see how the "revExecuteSQL" can fit in there...Code: Select all
post sentdata to url"https://www.*******
..maybe the "filter" is enough to filter the content ...at time of inputs.
No idea for POSTing things...
Re: Secure way to "disable" SQL injections within LC stack
Php is receiving the data.
Though I m investigating so as to restrict data at the very "input time" at the moment...so from Client stack
Though I m investigating so as to restrict data at the very "input time" at the moment...so from Client stack
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Secure way to "disable" SQL injections within LC stack
Checking inputs at all levels is good. Beyond the LC-based UI, the problem becomes generic to PHP and MySQL - this guide may help:
http://php.net/manual/en/security.datab ... ection.php
http://php.net/manual/en/security.datab ... ection.php
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Secure way to "disable" SQL injections within LC stack
At all level, for sure..thats planned, just trying a "basic insert" prevention from one end of the line ...client stack, which I believe using Characters restriction is a start...
-
- VIP Livecode Opensource Backer
- Posts: 9823
- Joined: Sat Apr 08, 2006 7:05 am
- Location: Los Angeles
- Contact:
Re: Secure way to "disable" SQL injections within LC stack
It certainly helps.
Richard Gaskin
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
LiveCode development, training, and consulting services: Fourth World Systems
LiveCode Group on Facebook
LiveCode Group on LinkedIn
Re: Secure way to "disable" SQL injections within LC stack
How does one replace or remove any double quote >>> " <<< from a string ?
is not accepted...
Code: Select all
put replacetext(fld Finput," " "," ") into Text
Re: Secure way to "disable" SQL injections within LC stack
Quote is a constant, so perhaps you could try
*Edit - a bit of advice I was given when I first started, make sure you use " " around your object names, such as in your code example
should be
as missing a set of quotes could really ruin your day.
Code: Select all
replace quote with empty in field "yourField"
Code: Select all
(fld Finput," " "," ")
Code: Select all
(fld "Finput"," " "," ")
Re: Secure way to "disable" SQL injections within LC stack
Tks Bogs, I was indeed still wondering about that too I ll make sure fields are using "".
Now, I tested the use of Quote in the following way:
It works fine for ", though I have this problem with the next sentence where it also removes
full necessary words, not just symbols.
I couldnt use the "replace quote.." you mentioned above yet
Do you think it will just clean symbols only ", and not full words ?
What syntax would target only symbols ?
Now, I tested the use of Quote in the following way:
Code: Select all
put replaceText(fld "Finput","(quote)",empty) into Textclean
full necessary words, not just symbols.
...which also removed a non targeted Quote (word)Original text:
Get rid of SYMBOLS """ BUT not the Quote WORD
Cleaned text:
Get rid of SYMBOLS BUT not the WORD
I couldnt use the "replace quote.." you mentioned above yet
Do you think it will just clean symbols only ", and not full words ?
What syntax would target only symbols ?
Re: Secure way to "disable" SQL injections within LC stack
solved !
I ve found this that only removes " symbols....
hopes it would work on all Oses...
I ve found this that only removes " symbols....
Code: Select all
put replaceText(fld "Finput","(ASCII 34).",empty) into Textclean
hopes it would work on all Oses...
Re: Secure way to "disable" SQL injections within LC stack
Well, not just fields, any object, buttons, fields, players, images, etc. For a (relatively) long time, I was writing them as you did here, despite seeing them all over the place with quotes around the name, because it seemed to work.
The problem I think is that Lc's auto-magic resolution of what you type could run you afoul if your not specific, so it may take your object name and turn it into a variable, for instance. The engine also has to put in more time I think it was explained to me, tracking it down to see if it's guessing is correct? It was something like that.
*Edit - I found that explanation I was talking about -
... so, it is just a better habit, as well as helping the readability of your code, to quote object names, i.e.jacque wrote: ↑Sat Mar 04, 2017 9:03 pmI haven't ever seen a problem with object names like you describe, so I'm not sure what's going on there. I don't use the same conventions though, so you might try changing the prefixes to see if that matters.
All object names should be enclosed in double quotes. If they aren't, LC will do its best to see if there is an object with that name, but it introduces ambiguity and sometimes it will fail. If there are no quotes, the engine has to scan every control looking for a match, which is slower. But more importantly, if an object name is a reserved word you will get unexpected results.
Rule of thumb is to always quote literals and control names in scripts.
button "Ok", field "myField", player "hookeyLau", etc.
I tested it the way I wrote it, here are the before and after shots.I couldnt use the "replace quote.." you mentioned above yet
Do you think it will just clean symbols only ", and not full words ?
Last edited by bogs on Tue Feb 13, 2018 2:59 pm, edited 1 time in total.
Re: Secure way to "disable" SQL injections within LC stack
Right that works too and is even simpler...I guess I was trying to use "into" instead of "in".
Tks, for the "" tips on all objects not just fld !
Tks, for the "" tips on all objects not just fld !