Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Michel Levy
  Where is Michel Levy?
 
 France
 Michel Levy
 To: David Mustakim
  Where is David Mustakim?
 Jakarta
 Indonesia
 David Mustakim
 Tags
Subject: RE: Conditional View in MySql
Thread ID: 365665 Message ID: 365693 # Views: 36 # Ratings: 0
Version: Visual FoxPro 9 SP2 Category: Databases, Tables and SQL Server
Date: Sunday, December 30, 2012 1:06:01 PM         
   


> ... Ooh, then.. Please educate us all with a better and and hopefully perfectly immune alternative. I think we are, or at the least I am, all ears now
>
> David
> ..
> .
>
>
>
>
>
>
> >
> > --
> > Rick,
> >
> > do you know that you open the door to SQL injection, with such abominable code???
> > a database developper should NEVER NEVER concatenate the variable value in the where clause.
> >
> > Please, keep your advice in the area you have some knowledge, and it seems that SQL development is out of your knowledge.
> >
> > Michel L

--
David,

following the link provided by Tanveer Ul Assam, one may see http://www.mysqltutorial.org/mysql-prepared-statement.aspx.

In a few words, imagine that a malicious user enters the following code in a textbox setting a where clause:
"1=1 ; drop table Customer ; -- Uhh!"

The SQL statement sent to the server will end by a WHERE 1=1, then the semicolon validates the SELECT statement, with no error. Then the DROP TABLE instruction is executed, and guess what? there is no more customer table.

If we don't concatenate, but send the content of the textbox as a typed parameter, the SQL injection will abort, because all the content of the textbox will be used a single value surrounded by the text identifiers.

Of course, this sample here is too simple, it is only a short demonstration of the SQL injection, and why one may always use typed parametered queries and never concatenate our statements on client side.

Michel L

ENTIRE THREAD

Conditional View in MySql Posted by Ahsan Rana @ 12/29/2012 6:40:17 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/29/2012 7:36:07 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 9:59:20 AM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 11:10:28 AM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 11:30:42 AM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 12:51:16 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 1:01:04 PM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 1:13:28 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 4:40:56 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 5:59:59 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 6:53:52 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 1:06:01 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 2:59:44 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:19:54 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 11:46:35 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/31/2012 12:08:20 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 9:37:10 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:20:12 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 12:06:08 AM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:05:17 PM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:11:09 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 1:49:10 PM
RE: Conditional View in MySql Posted by Anders Altberg @ 12/30/2012 4:09:15 PM