Page 1 of 2
Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 2:09 pm
by teriibi
HI,
For a Client/Server DB access, I m about to script "something" to restrict inputs in text fields of an LC card (fname, etc..)
The goal here is to try disabling any SQL injections from peeking users..
Anyone can recommend any (more) secured way other than the LC "Filter" functions ?
Or thats already the best way to go ?
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 2:31 pm
by Klaus
Hola, this is your pathfinder speaking
I think the "placeholder" approach is the way to go.
Check "revExecuteSQL" in the dictionary, scroll down to the "Description", there you will find some examples of how to use the :1, :2 ... thing
Best
Klaus
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 3:29 pm
by teriibi
Thanks Klaus for opening the way...
Im actually using
Code: Select all
post sentdata to url"https://www.*******
so i dont see how the "revExecuteSQL" can fit in there...
..maybe the "filter" is enough to filter the content ...at time of inputs.
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 4:04 pm
by FourthWorld
What is receiving the data on the server, PHP, LC Server, or something else?
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 4:39 pm
by Klaus
teriibi wrote: ↑Mon Feb 12, 2018 3:29 pm
Thanks Klaus for opening the way...
Im actually using
Code: Select all
post sentdata to url"https://www.*******
so i dont see how the "revExecuteSQL" can fit in there...
..maybe the "filter" is enough to filter the content ...at time of inputs.
Oh, sorry, I thought you were talking about database access.
No idea for POSTing things...
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 8:19 pm
by teriibi
Php is receiving the data.
Though I m investigating so as to restrict data at the very "input time" at the moment...so from Client stack
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 9:35 pm
by FourthWorld
Checking inputs at all levels is good. Beyond the LC-based UI, the problem becomes generic to PHP and MySQL - this guide may help:
http://php.net/manual/en/security.datab ... ection.php
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 9:41 pm
by teriibi
At all level, for sure..thats planned, just trying a "basic insert" prevention from one end of the line
...client stack, which I believe using Characters restriction is a start...
Re: Secure way to "disable" SQL injections within LC stack
Posted: Mon Feb 12, 2018 9:49 pm
by FourthWorld
teriibi wrote: ↑Mon Feb 12, 2018 9:41 pm
At all level, for sure..thats planned, just trying a "basic insert" prevention from one end of the line
...client stack, which I believe using Characters restriction is a start...
It certainly helps.
Re: Secure way to "disable" SQL injections within LC stack
Posted: Tue Feb 13, 2018 4:05 am
by teriibi
How does one replace or remove any double quote >>> " <<< from a string ?
Code: Select all
put replacetext(fld Finput," " "," ") into Text
is not accepted...
Re: Secure way to "disable" SQL injections within LC stack
Posted: Tue Feb 13, 2018 5:21 am
by bogs
Quote is a constant, so perhaps you could try
Code: Select all
replace quote with empty in field "yourField"
*Edit - a bit of advice I was given when I first started, make sure you use " " around your object names, such as in your code example
should be
as missing a set of quotes could really ruin your day.
Re: Secure way to "disable" SQL injections within LC stack
Posted: Tue Feb 13, 2018 1:31 pm
by teriibi
Tks Bogs, I was indeed still wondering about that too
I ll make sure fields are using "".
Now, I tested the use of Quote in the following way:
Code: Select all
put replaceText(fld "Finput","(quote)",empty) into Textclean
It works fine for ", though I have this problem with the next sentence where it also removes
full necessary words, not just symbols.
Original text:
Get rid of SYMBOLS """ BUT not the Quote WORD
Cleaned text:
Get rid of SYMBOLS BUT not the WORD
...which also removed a non targeted Quote (word)
I couldnt use the "replace quote.." you mentioned above yet
Do you think it will just clean symbols only ", and not full words ?
What syntax would target only symbols ?
Re: Secure way to "disable" SQL injections within LC stack
Posted: Tue Feb 13, 2018 1:49 pm
by teriibi
solved !
I ve found this that only removes " symbols....
Code: Select all
put replaceText(fld "Finput","(ASCII 34).",empty) into Textclean
hopes it would work on all Oses...
Re: Secure way to "disable" SQL injections within LC stack
Posted: Tue Feb 13, 2018 2:38 pm
by bogs
teriibi wrote: ↑Tue Feb 13, 2018 1:31 pm
I ll make sure fields are using "".
Well, not just fields, any object, buttons, fields, players, images, etc. For a (relatively) long time, I was writing them as you did here, despite seeing them all over the place with quotes around the name, because it seemed to work.
The problem I think is that Lc's auto-magic resolution of what you type could run you afoul if your not specific, so it may take your object name and turn it into a variable, for instance. The engine also has to put in more time I think it was explained to me, tracking it down to see if it's guessing is correct? It was something like that.
*Edit - I found that explanation I was talking about -
jacque wrote: ↑Sat Mar 04, 2017 9:03 pm
I haven't ever seen a problem with object names like you describe, so I'm not sure what's going on there. I don't use the same conventions though, so you might try changing the prefixes to see if that matters.
All object names should be enclosed in double quotes. If they aren't, LC will do its best to see if there is an object with that name, but it introduces ambiguity and sometimes it will fail. If there are no quotes, the engine has to scan every control looking for a match, which is slower. But more importantly, if an object name is a reserved word you will get unexpected results.
Rule of thumb is to always quote literals and control names in scripts.
... so, it is just a better habit, as well as helping the readability of your code, to quote object names, i.e.
button "Ok", field "myField", player "hookeyLau", etc.
I couldnt use the "replace quote.." you mentioned above yet
Do you think it will just clean symbols only ", and not full words ?
I tested it the way I wrote it, here are the before and after shots.
- Before
- Selection_003.png (6.17 KiB) Viewed 9734 times
- After
- Selection_004.png (23.72 KiB) Viewed 9734 times
Re: Secure way to "disable" SQL injections within LC stack
Posted: Tue Feb 13, 2018 2:51 pm
by teriibi
Right that works too and is even simpler...I guess I was trying to use "into" instead of "in".
Tks, for the "" tips on all objects not just fld !