Level Extreme platform
Subscription
Corporate profile
Products & Services
Support
Legal
Français
External Queries
Message
From
28/09/2012 15:15:04
Tore Bleken (Online)
Vear, Norway
 
 
To
28/09/2012 14:14:32
Mike Yearwood
Toronto, Ontario, Canada
General information
Forum:
Visual FoxPro
Category:
Coding, syntax & commands
Title:
Re: External Queries
Environment versions
Visual FoxPro:
VFP 9 SP2
OS:
Windows XP SP2
Network:
Windows 2003 Server
Database:
Visual FoxPro
Application:
Desktop
Miscellaneous
Thread ID:
01553822
Message ID:
01553882
Views:
43
>>>>No, VFP always checks inside the exe/app first. Btw, your solution sounds like a perfect description of how NOT to do things since a user can easily do anything with the data....! Have you ever heard of SQL injection?
>>>>
>>>>>I have an app that includes a reporting module; this runs "external" queries and reports - that is, they are not compiled into my app. So for example my reporting module might call c:\localQueries\query1.prg to generate a cursor and then c:\localReports\report1.frx to report on the data. If my compiled app also includes a prg called "query1", at run time this gets called in preference to the external query - despite me calling the external prg with a fully qualified path name. Is there some way to avoid this - other than making sure the external queries are all named differently to any prgs compiled into the app.
>>>>>
>>>>>Thanks in advance
>>>>>Barry Sutton
>>>
>>>Hi Tore
>>>
>>>SQL Injection is only possible when a database server is executing queries. It also requires an inexperienced programmer to construct SQL by concatenating user values into the command string to be executed, instead of sending user values as parameters.
>>
>>It's also possible against DBFs.
>
>Could you give an example?
>
>The only way I know to make vfp *simulate* a SQL Injection Attack might be:
>
>lcUserEntry = thisform.sometextbox.value
>lcSQL = 'select * from sometable where somefield = " ' + m.lcUserEntry + ' " '
>Execscript(m.lcSQL)
>
>The user entry might be
>
>
" < alt+013 >< alt+010 >SELECT sometable< alt+013 >< alt+010 >SET SAFETY OFF< alt+013 >< alt+010 >ZAP< alt+013 >< alt+010 >*
>
>Had the lcSQL line been this:
>
>lcSQL = 'select * from sometable where somefield = m.lcUserEntry'
>
>and if lcUserEntry was private, then the sql command would effectively be parameterized. The execscript would not execute the content of lcUserEntry. That's why it's called SQL Injection. The content of a variable is injected into an SQL command.

He says that he creates separate prgs on the fly, which means that the whole SQL statement is stored inside the prgs. Since a prg must be compilable, you can include anything in there. Maybe SQL injection as such, but the result is the same.


Gone phishing

How to create sample data
Previous
Next
Reply
Map
View

Click here to load this message in the networking platform