Page 2 of 2
Re: LiveCode security
Posted: Wed May 16, 2012 11:19 pm
by edoardotognoni
Yes, sure. Just like: replace "'" with "\'" in myDataToQuery. I think that this one prevents the 90% of the sql injection attacks. it could be used for quotes, semi colon, ecc.. I think this is the best way from preventing us.
Regards
Edoardo
Re: LiveCode security
Posted: Thu May 17, 2012 1:27 am
by Mark
Hi Edouardo,
There is more you can do. For example, you can check that data types are correct for all fields. If a field should contain numbers only and a query tries to update the field with unexpected symbols, then it might make sense to ignore the query.
Kind regards,
Mark
Re: LiveCode security
Posted: Thu May 17, 2012 9:00 am
by edoardotognoni
Hi,
yes obviously, but i'm thinking always as a login form, which the user can insert text and symbols if he wants. This is the worst case i think.
By the way i think that with sql injection we are done. And what about database connections? I read that when trying to open databases, we can add a parameter that said to use ssl if i remember correctly. This evening, if i have time, i will try with wiresahrk to open a local database and see if user and password can be read, with or not the use of ssl.
Regards,
Edoardo
Re: LiveCode security
Posted: Sun May 20, 2012 2:54 am
by shawnbeagleBUSUpkN
One of the best ways to prevent SQL injection is to limit the amount of characters in a field to what is required or slightly more.
Re: LiveCode security
Posted: Sun May 20, 2012 9:04 am
by Mark
Hi Edoardo,
As I wrote before, use SSL for the database connection or SSH in combination with a tunnel.
Kind regards,
Mark