Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SQL Injection from VFP

Status
Not open for further replies.
SteveDingle

SteveDingle

Programmer
Jul 26, 2004
254
GB
Heya All,

Was just reading up on the issue of SQL Injection when communicating with SQL Server from inside VFP...


... I assume the proper (only?) way to deal with it is just pre-checking before submitting code. just wondering if anyone has tips/thoughts etc...

Toodles,
Steve Dingle
D&S Business Solutions Ltd
 
Sort by date Sort by votes
Hi Steve,

Interesting article.

Our friend Christof has written a lot about this recently, especially from a VFP perspective. He had a least one article in a recent FPA about it -- including suggestions for how to defend against it.

It'd be interesting to hear if other people have got any ideas.

Mike


__________________________________
Mike Lewis (Edinburgh, Scotland)

My Visual FoxPro site: www.ml-consult.co.uk
 
Upvote 0 Downvote
Heya Mike,

Haven't had advisor sub since I moved over here so am hopeful others will chime in.

I only just read about this subject, feel kinda bad I am behind on such a big issue

Toodles,
Steve Dingle
D&S Business Solutions Ltd
 
Upvote 0 Downvote
Ya just saw the article. Dunno if I can justify at this point for $277 for 1 year sub (or $10 Canadian [gd&rfAmericans] ). Will think about it tho.

FWIW, I was always more a FoxTalk fan when it came to content anyway
 
Upvote 0 Downvote
Steve,

Dunno if I can justify at this point for $277 for 1 year sub
Click to expand...

I shouldn't tell you this, but save your money. As of this month, the $277 only buys access to the on-line content. The printed magazine will no longer appear.

As for FoxTalk, that went down the tubes a while ago.

Although I've got a vested interest in people subscribing to these journals, I can't in all conscience advise anyone to do so.

Mike


__________________________________
Mike Lewis (Edinburgh, Scotland)

My Visual FoxPro site: www.ml-consult.co.uk
 
Upvote 0 Downvote
Hey, Steve! Long time no see.. You going to German DevCon this year?

There have been articles in the past month (sorry, I don't have references handy) that say SQL injection concerns are overrated and not something most devs need to worry about. But then, only you know your application and users so only you can determine how much concern you should have.

Craig Berntson
MCSD, Visual FoxPro MVP, Author, CrysDev: A Developer's Guide to Integrating Crystal Reports"
 
Upvote 0 Downvote
Heya Craig,

Re: Frankfurt... still up in the air but I'm hopeful, nothing like a good German beer.. ooh and of course the sessions are great too

Re: concerns are overrated... read that too, but I've been using the 'm.' syntax for variables for years just in case. :) I always try to get things to the point where I can say to the clients "well that wasn't my fault because"

Hope ta see ya in Germany!



Toodles,
Steve Dingle
D&S Business Solutions Ltd
 
Upvote 0 Downvote
Hello Mike,

I'm not sure you are right with the EXECSCRIPT analogon to what SQL Server does with parameters.

Eg you can pass "O'Neil" by parameter and it won't blow something like

Code: 
lcName="O'Neil"
sqlExec("select * from persons where name=?lcName")

whereas lcName="O'Neil" would break

Code: 
lcName="O'Neil"
sqlExec("select * from persons where name='"+lcName+"'")

So the way it works is that lcName is passed in parallel to SQL Server and it is not simply substituted into the SQL, but SQL internally keeps statement and parameter seperated.

Bye, Olaf.
 
Upvote 0 Downvote
Hi Mike,

Code: 
lcName="O'Neil"
sqlExec("select * from persons where name=?lcName")
works, if you want I can make it a more verbose version.

That is, sql server does not simply print the lcName string into it to get select * from persons where name=O'Neil, which wouldn't work at all. It's working, because the way sql server handles parameters in sql statements corresponding to their variable type.

qed.

Bye, Olaf.
 
Upvote 0 Downvote
Mike,

This works and cannot be injectable:
Code: 
m.lcName = "O'Neill"
EXECSCRIPT("SELECT * FROM table WHERE SURNAME = ?m.lcName")

correct and the same way were my examples. So you can prevent injection by parameterized sql, which was the whole point.

Bye, Olaf.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

bharons
  • Locked
  • Question
Update Data SQL server Using Create Cursor VFP
Replies
13
Views
815
bharons
bharons
Ashwani Bansal
  • Locked
  • Question
Sending bulk email messages from VFP 6.0 and VFP 9
Replies
12
Views
1K
Dan Olsson
Dan Olsson
infinetecode
  • Locked
  • Question
VFP Report : Dynamics
Replies
4
Views
494
Chris Miller
Chris Miller
RTD78
  • Locked
  • Question
VFP Form Refresh
Replies
2
Views
469
RTD78
RTD78
bharons
  • Locked
  • Question
update data table sql server using form vfp 2
Replies
13
Views
468
bharons
bharons

Part and Inventory Search

Sponsor

Back
Top