Re: How To Protect Against SQL Injection Attack?
Posted: Sun May 27, 2012 2:41 am
I am currently doing the 'Business Academy' offered by RunRev, and the latest daily lesson is about performing SQL queries. During the lesson, it is shown that:Mark wrote:I guess we need to test this some time. I neer use LiveCode's built-in SQL commands, but when I have some time I'll try putting SQL syntax into the variables.
1) if you build your entire SQL query yourself, then you have to escape your own characters and do your own sanitisation
2) LiveCode *can* do this automatically for you, if you place your query terms into variables first, and then place your variables into the query using placeholders, as explained in the dictionary. Using this method, LiveCode will escape and encode the data appropriately, supposedly even taking into consideration the database type and connection settings.
So, if you are building your query like this, LiveCode is not helping, and you do need to escape your own query:
Code: Select all
get revDataFromQuery(tab, return, gConnectionID, "SELECT * FROM users WHERE email LIKE '%" & theSearchString & "%'")
Code: Select all
get revDataFromQuery(tab, return, gConnectionID, "SELECT * FROM users WHERE email LIKE :1", "theSearchString")