Welcome To The Home Of The Visual FoxPro Experts  
home. signup. forum. archives. search. google. articles. downloads. faq. members. weblogs. file info. rss.
 From: Michel Levy
  Where is Michel Levy?
 
 France
 Michel Levy
 To: Rick C. Hodgin
  Where is Rick C. Hodgin?
 Indianapolis
 Indiana - United States
 Rick C. Hodgin
 Tags
Subject: RE: Conditional View in MySql
Thread ID: 365665 Message ID: 365716 # Views: 33 # Ratings: 0
Version: Visual FoxPro 9 SP2 Category: Databases, Tables and SQL Server
Date: Sunday, December 30, 2012 6:19:54 PM         
   


> > do you know that you open the door to SQL injection,
> > with such abominable code???
>
> The OP said "select any product from VFP form". I had assumed by use of the word "select" that it came from a prior query revealing only valid items. But regardless, my code example wasn't designed to fill the user's explicit request, such as copy-and-paste my code into their project, but rather was designed to demonstrate the steps required to build a SQL expression containing variable portions.
>
> > a database developper should NEVER NEVER concatenate
> > the variable value in the where clause.
>
> If your system passes raw data that hasn't gone through any validity checks, then I agree. Such a system design is dangerous, not the assembly through concatenation.
>
> Michel, all a person is doing prior to SQLEXEC is building a proper syntax SQL expression for the remote engine. In VFP you can use ?whatever, but not in all languages. The form I used works identically and conveys explicitly what's taking place -- i.e., the user is building the variable portions atop/alongside the fixed ones, and it works as a concept in general.
>
> > Please, keep your advice in the area you have some
> > knowledge, and it seems that SQL development is out
> > of your knowledge.
>
> How do you conclude this?
>
> Programming is a complex process involving many, many factors. The example I gave here demonstrates building a variable SQL expression. There is much more involved than this in making a robust, secure system. I am sure you know this.
>
> Best regards,
> Rick C. Hodgin

--
Rick,

I disagree: whatever validity checks you can put in your client design, you will never avoid sql injection another way than with parametrization. Every concatenation is a possible entrance for sql injection. The example you gave does not demonstrate how to build a variable SQL expression, no. It demonstrate how to build an unsecure client system, that a DBA will decline, and where the developer could be prosecuted in case of successfull attack against the server (at least in some countries).

I agree: programming is a complex process, and I think that SQL RGDB world is in itself a complex process, with some specific rules. Before I begin to develop more deeply with SQL Server I did not imagine how complex and specific it may be (in other words when I believed that Clipper/Fox/VFP whas something similar to SQL)

You say that some languages have not ability to send parameters, could you elaborate please?

Michel L

ENTIRE THREAD

Conditional View in MySql Posted by Ahsan Rana @ 12/29/2012 6:40:17 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/29/2012 7:36:07 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 9:59:20 AM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 11:10:28 AM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 11:30:42 AM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 12:51:16 PM
RE: Conditional View in MySql Posted by Ahsan Rana @ 12/30/2012 1:01:04 PM
RE: Conditional View in MySql Posted by Stefan Wuebbe @ 12/30/2012 1:13:28 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 4:40:56 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 5:59:59 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 6:53:52 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 1:06:01 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 2:59:44 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:19:54 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/30/2012 11:46:35 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/31/2012 12:08:20 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 9:37:10 PM
RE: Conditional View in MySql Posted by Michel Levy @ 12/30/2012 6:20:12 PM
RE: Conditional View in MySql Posted by Rick Hodgin @ 12/31/2012 12:06:08 AM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:05:17 PM
RE: Conditional View in MySql Posted by M. Tanveer Ul Hassan Shaheen @ 12/29/2012 9:11:09 PM
RE: Conditional View in MySql Posted by David Mustakim @ 12/30/2012 1:49:10 PM
RE: Conditional View in MySql Posted by Anders Altberg @ 12/30/2012 4:09:15 PM