| Author |
Message
|
| orcwrath |
 Posted: Fri Aug 21, 2009 1:26 am Post subject: Avoiding SQL Injection |
 |
|
Newbie
Joined: 16 Jan 2009
Posts: 2
|
| Looking round this forum I have found a couple of references how coding esql db statements in a particular fashion can leave it open to SQL Injection. What is the correct method esql coding to avoid sql injection? Is it as simple as always using passthru because it uses parameters? |
|
| Back to top |
|
 |
| Monk |
| Posted: Wed Sep 09, 2009 3:15 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
Is the data coming from some front end app and your are using that data as it as in your SQL query , then its the front end jobs to make sure , you can't do a SQL injection, perhaps some front end validations might help.
_________________
Thimk |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Wed Sep 09, 2009 4:06 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
| Monk wrote: |
| Is the data coming from some front end app and your are using that data as it as in your SQL query , then its the front end jobs to make sure , you can't do a SQL injection, perhaps some front end validations might help. |
I strongly disagree. This sounds a little dreamy to me and I definatly wouldnt rely on it!
How will the calling application know if you use a DB and what flavour of DB you are using? Why should it even care? |
|
| Back to top |
|
|
| Luke |
| Posted: Wed Sep 09, 2009 4:40 am Post subject: Re: Avoiding SQL Injection |
|
|
Centurion
Joined: 10 Nov 2008
Posts: 128
Location: UK
|
I'm inclined to agree with WMBDEV1 there, but going back to the original question/statement:
| orcwrath wrote: |
| What is the correct method esql coding to avoid sql injection? Is it as simple as always using passthru because it uses parameters? |
I'd have to say no. PASSTHRU should only need to be used when issuing admin type commands, or for complex queries that are not supported by native esql statements. Most of the time you shouldn't need to use PASSTHRU.
I think the previous discussions about 'SQL injection' recomended that IF you are using PASSTHRU, use ? and VALUES clause to provide parameters, rather than constructing a string and passing that to PASSTHRU. |
|
| Back to top |
|
|
| Monk |
| Posted: Wed Sep 09, 2009 4:53 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
| Quote: |
| How will the calling application know if you use a DB and what flavour of DB you are using? Why should it even care? |
What if the calling app does talk to a DB.
should it not take care of SQL injection?
In this case however , the MB is the middleman talking to DB.
But i guess it would depend on how the application is setup.
_________________
Thimk |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Wed Sep 09, 2009 4:58 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
| Monk wrote: |
What if the calling app does talk to a DB.
should it not take care of SQL injection? |
Of course, but that wasnt the question.
| Quote: |
In this case however , the MB is the middleman talking to DB.
|
So you understood the question but decided to answer a different one?
Judging from the amount of posts your doing at the moment it feels like you're having a quiet day in the office and we're all suffering as a result! |
|
| Back to top |
|
|
| Monk |
| Posted: Wed Sep 09, 2009 6:06 am Post subject: |
|
|
Master
Joined: 21 Apr 2007
Posts: 282
|
| Quote: |
Judging from the amount of posts your doing at the moment it feels like you're having a quiet day in the office and we're all suffering as a result!
|
Quite true..
I m really sorry for making people suffer here.The agony I can't imagine.
Too much stress I guess , May be I should i just quit this world.
_________________
Thimk |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Wed Sep 09, 2009 6:12 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
| Monk wrote: |
Too much stress I guess , May be I should i just quit this world.
|
No, thats a little excessive, just think before you post  |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 09, 2009 7:44 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| WMBDEV1 wrote: |
| Monk wrote: |
Too much stress I guess , May be I should i just quit this world.
|
No, thats a little excessive, just think before you post |
No, not excessive at all. Much easier than thinking.
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Sep 09, 2009 7:51 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Wed Sep 09, 2009 8:07 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
Jeff, is that meant to be a dig at me for not getting your subtle reference to a song by some guy i've never heard of? Just because I missed it doesnt mean - I wasnt thinking in my responses! |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 09, 2009 8:11 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| WMBDEV1 wrote: |
| Jeff, is that meant to be a dig at me for not getting your subtle reference to a song by some guy i've never heard of? Just because I missed it doesnt mean - I wasnt thinking in my responses! |
At least you worked out it was a song in the end..... 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| mqjeff |
| Posted: Wed Sep 09, 2009 8:12 am Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 17447
|
| WMBDEV1 wrote: |
| Jeff, is that meant to be a dig at me for not getting your subtle reference to a song by some guy i've never heard of? Just because I missed it doesnt mean - I wasnt thinking in my responses! |
No, not at all. 
It's a recursive re-reference to the other conversation - plagiarism is in general much easier than thinking.
And it wasn't a dig at all in the other thread either. I was just saying that you missed my point.
 |
|
| Back to top |
|
|
| Vitor |
| Posted: Wed Sep 09, 2009 8:25 am Post subject: |
|
|
Grand High Poobah
Joined: 11 Nov 2005
Posts: 26093
Location: Texas, USA
|
| mqjeff wrote: |
| I was just saying that you missed my point. |
No-one listens to good, classic music any more. 
_________________
Honesty is the best policy.
Insanity is the best defence. |
|
| Back to top |
|
|
| WMBDEV1 |
| Posted: Wed Sep 09, 2009 9:14 am Post subject: |
|
|
Sentinel
Joined: 05 Mar 2009
Posts: 888
Location: UK
|
| Vitor wrote: |
At least you worked out it was a song in the end..... |
google to the rescue! it did make me chuckle a little when google revealed all!
I'll see if I can find some apt quotes from my "youth" music to comeback with |
|
| Back to top |
|
|
|
|
