igorBUSvRhc wrote:Is there a way to sanitise user input against sql injection attacks in LiveCode?.
function sanitize str
--to avoid very long str
put char 1 to 20 of str into str
replace quote with "" in str
replace "'" with "" in str
replace space with "" in str
replace "," with "" in str
replace ";" with "" in str
replace "=" with "" in str
Mark wrote:That makes no sense if a direct connection to the MySQL server is possible. It only makes sense if you're using PHP or a similar language.
Mark wrote:If you're using commands like revExecuteSQL, it means that your web host allows for external access to the MySQL database server.
Mark wrote:The safest way is to hardcode your queries. Rather than sending complete queries from the desktop app to the server, only send a code and some data to the server. The code refers to a particular query and the data completes the query before it is executed. If no or an incorrect code is sent, you can ignore the request.
If you additionally encrypt the codes and the data sent to the server and decrypt them on the server, then you have quite a safe system.
igorBUSvRhc wrote:I guess I might have to roll up my sleeves and get down to coding my own SQL-safety functions, then!
bangkok wrote:I believe the best system is a multiple system :
-the desktop app would send only "parameters"
-a mixing of "hard coded" queries on the server (UPDATE mytable set XX=parameter1 WHERE BB=parameter2, therefore if the hacker sends a subquery nested in the parameter, it won't work, it will give only an error)
bangkok wrote:-a sanitazition system, adapted to each type of query and/or type of parameters
bangkok wrote:Regarding your encryption system... sounds nice but how do know that the user who identifies himself with login+password on the desktop app, will be the same who will send later a SQL query to the server ?
Users browsing this forum: No registered users and 3 guests