Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
Sqlexec from vfp fails
Message
De
25/05/2016 11:52:41
Mike Yearwood
Toronto, Ontario, Canada
 
 
À
25/05/2016 00:48:02
Information générale
Forum:
Microsoft SQL Server
Catégorie:
Syntaxe SQL
Divers
Thread ID:
01636625
Message ID:
01636795
Vues:
61
>Read my post/the code exactly ;-)

Yes. His source as written is safe, but you know he's going to take the same approach with user provided data, directly or indirectly and expose himself, or accidentally. There is zero reason to avoid using parameters.


>
>>>>>declare @StartDate datetime , @EndDate datetime
>>>>>set @StartDate = '4/1/2016' set @EndDate = '4/30/2016'
>>>>>dt1 = DATE(2016,4,1)
>>>>>dt2 = GOMONTH(dt1,1)-1
>
>no user input involved, so no danger in the things posted. Bad pattern was acknoledged...
>
>>>Actually ***his*** source is safe against anything except for MIM attacks or total code rewite, which would succeed even in SQL parameter cases by rewriting the whole statement, unless there is further sanitizing server side. Use the source...
>>>
>>>The SQL guy writing out the query probably to be used as a pattern in browser is another matter. BETWEEN nowadays a dirty word stateside?
>>
>>The users can populate those date values with SQL in a badly written VFP UI because the users' entries are getting concatenated ("injected") into the SQL command.
>>
>>
>>>
>>>
>>>>>I need to get some data out of SQLserver from my vfp9sp2 app
>>>>>i have never done this btw
>>>>>here is what i got from the sql guy:
>>>>>
>>>>>declare @StartDate datetime , @EndDate datetime
>>>>>set @StartDate = '4/1/2016' set @EndDate = '4/30/2016'
>>>>>
>>>>>select a.*
>>>>>from BAI.F_Transaction a
>>>>>join dbo.D_Date b on ( a.GroupAsOfDate = b.RowID )
>>>>>where  ( DTransactionID = 1018 )
>>>>>             and
>>>>>             ( b.[Date] >= @StartDate and b.[Date] <= @EndDate )
>>>>>order by a.GroupAsOfDate desc
>>>>>
>>>>>
>>>>>
>>>>>here is my vfp translation
>>>>>
>>>>>
>>>>>dt1 = DATE(2016,4,1)
>>>>>dt2	= GOMONTH(dt1,1)-1
>>>>>
>>>>>
>>>>>lcServer = [OTT-sqlprod]
>>>>>
>>>>>
>>>>>CONNSTR = [Driver={SQL Server};Server=]+lcServer+[;Trusted_connection=Yes;Database=cmdw;]
>>>>>
>>>>>lnHandle = SQLSTRINGCONNECT( CONNSTR )
>>>>>*** returns 1
>>>>>
>>>>>IF Handle < 1
>>>>>	STRTOFILE( "Unable TO CONNECT TO SQL" + CHR(13) + CONNSTR, 16 )
>>>>>	RETURN
>>>>>ENDIF
>>>>>
>>>>>
>>>>>TEXT TO lcCMD NOSHOW TEXTMERGE
>>>>>select a.*
>>>>>from BAI.F_Transaction a
>>>>>join dbo.D_Date b on ( a.GroupAsOfDate = b.RowID )
>>>>>where  ( DTransactionID = 1018 )
>>>>>             and
>>>>>             ( b.[Date] >= '<<dt1>>' and b.[Date] <= '<<dt2>>' )
>>>>>order by a.GroupAsOfDate desc
>>>>>ENDTEXT
>>>>>
>>>>>
>>>>>
>>>>>lnSuccess returns -1
>>>>>
>>>>>what am I doing wrong
>>>>
>>>>You have just made an SQL Injection Attack susceptible piece of code. It's not the hackers that are the problem with SQL Injection. It's the programmers that do not have the practice to prevent it.
>>>>
>>>>
select a.*
>>>>from BAI.F_Transaction a
>>>>join dbo.D_Date b on ( a.GroupAsOfDate = b.RowID )
>>>>where  ( DTransactionID = 1018 )
>>>>             and
>>>>             ( b.[Date] >= ?m.dt1 and b.[Date] <= ?m.dt2 )
>>>>order by a.GroupAsOfDate desc
>>>>
>>>>By passing the dt1 and dt2 as parameters nothing any hacker does can alter your sql command to turn it into a time bomb.
Précédent
Suivant
Répondre
Fil
Voir

Click here to load this message in the networking platform