[ic] Writing informaton to database

Mike Heins interchange-users@interchange.redhat.com
Sun Jan 13 09:01:03 2002


Quoting Steven Potter (potter@softhome.net):
> Kevin Walsh wrote:
> 
> >>I would like to write some of the users order information to a different
> >>table in the database for statistical use.  What is the best way to
> >>approch this?  I know I could do it with a [query sql=insert into ....]
> >>but that doesn't strike me as very secure.  What other methods would you
> >>suggest?  I searched the archives and didn't find anything, but if you
> >>know of a thread, point me there.
> >>
> >>
> > Although I don't understand your security concern with [query] and SQL,
> > I would suggest you edit the catalogue's etc/log_transaction file.
> > Copy the existing method of writing to the transactions table, but use
> > your own table name and contents.
> > 
> > 
> 
> The security concern with [query] is that if I had a statement like the 
> following:
> 
> [query sql=INSERT INTO table VALUES('[first_name]',.....]
> 
> What if the user was to enter something like this into the first_name field:
> 
> ; DELETE FROM table WHERE 1=1;
> 
> That could cause some serious problems...

No. It is a separate query, and Interchange doesn't use a(n) SQL shell
to process commands -- each query must be distinct. So the query would
fail as invalid.

-- 
Red Hat, Inc., 131 Willow Lane, Floor 2, Oxford, OH  45056
phone +1.513.523.7621 fax 7501 <mheins@redhat.com>

Research is what I'm doing when I don't know what I'm doing.
-- Wernher Von Braun