[ic] Writing informaton to database

Kevin Walsh interchange-users@interchange.redhat.com
Fri Jan 11 04:52:00 2002


Steven Potter wrote:
> >
> > Although I don't understand your security concern with [query] and SQL,
> > I would suggest you edit the catalogue's etc/log_transaction file.
> > Copy the existing method of writing to the transactions table, but use
> > your own table name and contents.
> >
> The security concern with [query] is that if I had a statement like the
> following:
>
> [query sql=INSERT INTO table VALUES('[first_name]',.....]
>
> What if the user was to enter something like this into the first_name field:
>
> ; DELETE FROM table WHERE 1=1; That could cause some serious problems...
>
Then the actual SQL would look like this:

    INSERT INTO table VALUES('; DELETE FROM table WHERE 1=1;', ... );

That would insert the specified value into the table.  It would not
execute a DELETE.  As long as you escape any quotes etc. properly,
you will not have a problem.

-- 
   _/   _/  _/_/_/_/  _/    _/  _/_/_/  _/    _/
  _/_/_/   _/_/      _/    _/    _/    _/_/  _/   K e v i n   W a l s h
 _/ _/    _/          _/ _/     _/    _/  _/_/    kevin@cursor.uk.com
_/   _/  _/_/_/_/      _/    _/_/_/  _/    _/