To continue with this content, please log in with your Data Access ID or create a new account.
Cancel Data Access ID
You may not be authorized to see this content. Please contact Data Access Europe for more information.
Cancel Data Access Europe
You are not authorized to see this content.
Cancel Data Access Europe
Next lesson:
DataFlex Security Library overview
Cancel

Security the Basics

Lesson 5: SQL injection

What is SQL Injection? It is a code injection technique, where a malicious SQL statements are inserted into an entry field for execution.  This can happen if SQL filters or a completely embedded SQL query are being used.

  1. A sample SQL injection is shown using a unique filter. The sample can be found in a file called sql-injections.txt that is found in the workspace.
  2. By filtering on “ ‘) or (‘ ‘=’ “ in the application a user can view guest user messages that should be private.
  3. To prevent these attacks, Squeaks have been added to DataFlex.
  4. In the DataFlex Studio, expand ‘WebApp.src’ in the ‘Workspace Explorer’ panel on the right, expand ‘Web Views,’ and double click ‘SqueakSelect.wo.’
  5. The filter within SqueakSelect.wo sends a rebuilt constraint that has been built in the constraints. It is necessary to make sure the filter is properly escaped, and their functions for that in the Data Dictionary.
  6. Searching for “SQLescape” in the help will show ‘SQLEscapedStr’ function in the Data Dictionary. This, and several other functions found in the help, can be used.
  7. This use of this function will not be demonstrated in this lesson because it is simple to implement, but it is extremely important that it is used because there is a severe security risk without it.