Code Forums - View Single Post

berklee · 03-26-2003, 04:38 AM

What DBMS are you using?

If you're using something with stored procedure support, you may want to set up your transactions as procedures.

Having code in your page that says:

SQL = "DELETE FROM table WHERE ITEM1 = '" & request.form("toDelete") & "'"

could be potentially dangerous. If someone managed to figure out your table name, they could populate request.form("toDelete") with the following:

1;DROP TABLE table;

Which would delete item #1, and then dump the table. So very not good.

If you run your statement as a proc, rather than a text string, you can greatly reduce your risk of having your DB get hosed.

(sidenote/threadjack - this is why I haven't moved to MySQL yet - once the stored procedure support is there, I'll hit it. In the meantime, it's SAP DB for Open-Source database stuff. w00t.)

03-26-2003, 04:38 AM	#6 (permalink)
berklee Registered User Join Date: Mar 2003 Posts: 18	DBMSesses. What DBMS are you using? If you're using something with stored procedure support, you may want to set up your transactions as procedures. Having code in your page that says: SQL = "DELETE FROM table WHERE ITEM1 = '" & request.form("toDelete") & "'" could be potentially dangerous. If someone managed to figure out your table name, they could populate request.form("toDelete") with the following: 1;DROP TABLE table; Which would delete item #1, and then dump the table. So very not good. If you run your statement as a proc, rather than a text string, you can greatly reduce your risk of having your DB get hosed. (sidenote/threadjack - this is why I haven't moved to MySQL yet - once the stored procedure support is there, I'll hit it. In the meantime, it's SAP DB for Open-Source database stuff. w00t.)