| Subject | Re: locate O'Connor |
|---|---|
| Author | Adam |
| Post date | 2005-09-28T00:42:51Z |
--- In firebird-support@yahoogroups.com, Sam Hunt <shunt@n...> wrote:
Assuming your string is
How much damage would be done if I said my last name was
A' or '1'='1
Being a select, probably not much, but if it was an update, I have
made you modify every record in your table. Programming that allows a
knowledgable user to insert whatever SQL statement they want is quite
dangerous. They may be able to access information you think they
can't, modify information they shouldn't be allowed to, or cause your
query to have to run a massive subselect joining massive tables
without an appropriate index, and effectively forcing you to restart
firebird to clear the connection so others can work.
At least with parameters, you have some assurance that while they may
end up with a strange looking surname, it is not going to wreck your
database.
The reader is left to imagine what would happen if I somehow created
a query that could delete from rdb$pages or something equally
destructive.
This may be FUD, but that might just mean you are lucky enough to be
writing software for users who have no vested interest in breaking
your software.
Adam
> Adam wrote:<shunt@n...>
>
> > --- In firebird-support@yahoogroups.com, "delphigurusam"
> > wrote:I should elaborate on what I mean by safer.
> > > FB 1.5.2 B:4731
> > >
> > > sql.strings[2]:='where
> > > upper(Last_Name)='+#39+uppercase(dbeditLastName.Text)+#39+' ';
> > >
Assuming your string is
How much damage would be done if I said my last name was
A' or '1'='1
Being a select, probably not much, but if it was an update, I have
made you modify every record in your table. Programming that allows a
knowledgable user to insert whatever SQL statement they want is quite
dangerous. They may be able to access information you think they
can't, modify information they shouldn't be allowed to, or cause your
query to have to run a massive subselect joining massive tables
without an appropriate index, and effectively forcing you to restart
firebird to clear the connection so others can work.
At least with parameters, you have some assurance that while they may
end up with a strange looking surname, it is not going to wreck your
database.
The reader is left to imagine what would happen if I somehow created
a query that could delete from rdb$pages or something equally
destructive.
This may be FUD, but that might just mean you are lucky enough to be
writing software for users who have no vested interest in breaking
your software.
Adam