[thelist] Select QRY problem

Ken Schaefer Ken at adOpenStatic.com
Tue Mar 15 15:53:01 CST 2005



: -----Original Message-----
: From: thelist-bounces-ken=adopenstatic.com at lists.evolt.org
: [mailto:thelist-bounces-ken=adopenstatic.com at lists.evolt.org] On Behalf Of
: Phil Turmel
: Subject: Re: [thelist] Select QRY problem
: 
: I do this by casting numbers from GET/POST/COOKIE variables into long
: integer or float.  Then concatenate into SQL statement.  If something is
: missing, I'll get a zero, but no SQL syntax error.  And I'm safe from
: deliberately malformed GET/POST contents.


Um, in most languages you'd get a type mismatch error, not a 0 :-)


: How all this is done varies with language (I use PHP on my webservers),
: but the principle is the same:  SQL Statements that include data from
: web forms or other possibly fudged data must be built from carefully
: validated substrings.  I still recommend y'all google "SQL Injection".

Absolutely. Here are some starting links:
http://www.nextgenss.com/papers/advanced_sql_injection.pdf
http://www.nextgenss.com/papers/more_advanced_sql_injection.pdf

 
: The side benefit of this: never getting a SQL syntax error from bad user
: data.

Constructing SQL statements in your presentation layer code is a maintenance
nightmare. Whilst there are obviously corner cases, I would wager that 9 out
of every 10 programmers who deal with data layers and below would tell you to
move your SQL into the database, rather than trying to maintain inline
concatenated SQL.

The better way to protect yourself against SQL Injection is to use prepared
statements (e.g. Command & Parameter Objects in ADO) coupled with stored
procedures in your database.

Cheers
Ken


More information about the thelist mailing list