Yes, sure. Just like: replace "'" with "\'" in myDataToQuery. I think that this one prevents the 90% of the sql injection attacks. it could be used for quotes, semi colon, ecc.. I think this is the best way from preventing us.
Regards
Edoardo
LiveCode security
Moderators: FourthWorld, heatherlaine, Klaus, kevinmiller, robinmiller
Re: LiveCode security
Hi Edouardo,
There is more you can do. For example, you can check that data types are correct for all fields. If a field should contain numbers only and a query tries to update the field with unexpected symbols, then it might make sense to ignore the query.
Kind regards,
Mark
There is more you can do. For example, you can check that data types are correct for all fields. If a field should contain numbers only and a query tries to update the field with unexpected symbols, then it might make sense to ignore the query.
Kind regards,
Mark
The biggest LiveCode group on Facebook: https://www.facebook.com/groups/livecode.developers
The book "Programming LiveCode for the Real Beginner"! Get it here! http://tinyurl.com/book-livecode
The book "Programming LiveCode for the Real Beginner"! Get it here! http://tinyurl.com/book-livecode
-
edoardotognoni
- Posts: 8
- Joined: Sun May 13, 2012 2:13 pm
Re: LiveCode security
Hi,
yes obviously, but i'm thinking always as a login form, which the user can insert text and symbols if he wants. This is the worst case i think.
By the way i think that with sql injection we are done. And what about database connections? I read that when trying to open databases, we can add a parameter that said to use ssl if i remember correctly. This evening, if i have time, i will try with wiresahrk to open a local database and see if user and password can be read, with or not the use of ssl.
Regards,
Edoardo
yes obviously, but i'm thinking always as a login form, which the user can insert text and symbols if he wants. This is the worst case i think.
By the way i think that with sql injection we are done. And what about database connections? I read that when trying to open databases, we can add a parameter that said to use ssl if i remember correctly. This evening, if i have time, i will try with wiresahrk to open a local database and see if user and password can be read, with or not the use of ssl.
Regards,
Edoardo
-
shawnbeagleBUSUpkN
- Posts: 1
- Joined: Fri May 04, 2012 7:38 am
Re: LiveCode security
One of the best ways to prevent SQL injection is to limit the amount of characters in a field to what is required or slightly more.
Re: LiveCode security
Hi Edoardo,
As I wrote before, use SSL for the database connection or SSH in combination with a tunnel.
Kind regards,
Mark
As I wrote before, use SSL for the database connection or SSH in combination with a tunnel.
Kind regards,
Mark
The biggest LiveCode group on Facebook: https://www.facebook.com/groups/livecode.developers
The book "Programming LiveCode for the Real Beginner"! Get it here! http://tinyurl.com/book-livecode
The book "Programming LiveCode for the Real Beginner"! Get it here! http://tinyurl.com/book-livecode