SQLitening Support Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to the SQLitening support forums!

Pages: [1] 2 3 ... 10
 1 
 on: December 19, 2018, 08:03:06 PM 
Started by D. Wilson - Last post by cj
Quote
Using Sqlitening - What measures should be adopted to prevent SQL Injection attacks. Any thoughts would be appreciated.

This is an old thread from 2015, but these answers were not given.
Today is 12/19/2018.

slExeBind
slSelBind
https://www.sqlitening.planetsquires.com/index.php?topic=9730.msg26326;topicseen#msg26326

Thoughts:
I've wondered who would inject the code in a local network?
If they can inject code they can just as easily write sql statements or delete a database.
If used over the internet the transmits should be encrypted so they shouldn't be able to inject.

I like slExeBind because text can be inserted "as is" without needing to wrap text with $SQ and also wrap embedded $SQ's.

 2 
 on: December 19, 2018, 07:47:03 PM 
Started by cj - Last post by cj
Not sure how I missed slSelBind.
slSelBind was added a long time ago and can prevent SQLite injection
https://sqlitening.planetsquires.com/index.php?topic=3378.0;wap2
Quote
Added the slSelBind function in order to avoid SQL injection and to improve Unicode processing.
Example extracting encrypted text (3-ways)

slexe  "create table if not exists t1(MyKey UNIQUE,MyData)"
slSetProcessMods "K" + SPACE$(32)
slSelBind "select MyData from t1 where MyKey = ?",slBuildBindDat(sKey,"T")
DO WHILE slGetRow
  ? slConvertDat(slf(1),"D")
  ? slfx(1,"D")
  ? slfnx("MyData","D")
LOOP

 3 
 on: December 19, 2018, 07:38:27 PM 
Started by D. Wilson - Last post by cj
Search on name of image or a non-encrypted column
Added slSelBind

THREADED sb AS ISTRINGBUILDERA

#INCLUDE "sqlitening.inc"

FUNCTION PBMAIN () AS LONG

 LOCAL x     AS LONG
 LOCAL sKey  AS STRING

 sb = CLASS "StringBuilderA"

 slopen "junk.db3","C"
 slexe  "drop table if exists t1"
 slexe  "create table if not exists t1(MyKey UNIQUE,MyData)"
 slSetProcessMods "K" + SPACE$(32)
 sKey = "key1"
 slExeBind "insert into t1 values(?,?)",slBuildBindDat(sKey,"T") +_
                                        slBuildBindDat("Heidi","TN")

 IF slGetChangeCount <> 1 THEN ? "Insert error":EXIT FUNCTION
 slSel "select MyData from t1 where MyKey = " + WRAP$(sKey,$SQ,$SQ)

 DO WHILE slGetRow
  AddItem slConvertDat(slf(1),"D")
  AddItem slfx(1,"D")
  AddItem slfnx("MyData","D")
 LOOP

 LOCAL sArray() AS STRING
 slSelAry  "select MyData from t1 where MyKey="+WRAP$(sKey,$SQ,$SQ),sArray(),"D1 Q9c"
 FOR x = 1 TO UBOUND(sArray)
  AddItem sArray(x)
 NEXT

 'This could prevent sql injection
 slSelBind "select MyData from t1 where MyKey = ?",slBuildBindDat(sKey,"T")
 DO WHILE slGetRow
  AddItem slConvertDat(slf(1),"D")
  AddItem slfx(1,"D")
  AddItem slfnx("MyData","D")
 LOOP
 ? sb.string
END FUNCTION

SUB AddItem(s AS STRING)
 sb.add s + $CR
END SUB

 4 
 on: December 19, 2018, 01:35:29 PM 
Started by D. Wilson - Last post by D. Wilson
That was going to be my next question. Do I write/query the database just like normal ? What about blob fields that contain images ?

 5 
 on: December 19, 2018, 01:07:27 PM 
Started by D. Wilson - Last post by cj
Searching on the blob column may not work unless you know the exact value.
It makes more sense to search on the non-encrypted columns such as a key column.
See post #5 (below) which makes more sense.
It shows using slExeBind and slSelBind which may prevent SQL injection

Get equal (=) tests seem to work (with binding), but (< and  >) are not correct.
Notice in this example "Apple" is less than "B", but "Apple" is not returned.
If anyone sees an error in my ways, please post it!
https://www.sqlitening.planetsquires.com/index.php?topic=9579.msg25200#msg25200

Hopefully other products handle this.

#INCLUDE "sqlitening.inc"

FUNCTION PBMAIN () AS LONG
 LOCAL s AS STRING
 slopen "junk.db3","C"
 slexe  "drop table if exists t1"
 slexe  "create table if not exists t1(c1)"
 slSetProcessMods "K" + SPACE$(32)  'set encrypt key
 slExeBind "insert into t1 values(?)",slBuildBindDat("Apple","TN")          'insert encrypted Apple
 slSelBind "select c1 from t1 where c1 < ?",slBuildBindDat("B","TN")        'Apple less than B test
 DO WHILE slGetRow
  s+= slfx(1,"D") + $CR
 LOOP
 ? s
END FUNCTION                   

 6 
 on: December 19, 2018, 03:24:40 AM 
Started by D. Wilson - Last post by Fim
With sqlitenings encryption you can not use SELECT * FROM TEXT WHERE ORD = 'ab??rice'
but you can do that with SQLite's encryption.
Am I right??

/Fim W.

 7 
 on: December 18, 2018, 08:48:53 PM 
Started by D. Wilson - Last post by cj
SQlitening's built-in AES256 Cookbook encryption is used on columns and can be turned on and off.
SQLitening's was written by Greg Turcheson and would not be understood by third-party viewers.

Buying SQLite's AES256 encryption or https://www.zetetic.net/sqlcipher/ encrypt at the database level.
These products may work with some third-party products


 8 
 on: December 18, 2018, 06:34:52 PM 
Started by D. Wilson - Last post by D. Wilson
What are the steps to provide encryption to an sqlite database ??

If I encrypt a database using SQLitening can I open it and decrypt it using third party tools (ie a SQLite Database Viewers)

Any help would be appreciated.

 9 
 on: December 07, 2018, 05:46:25 AM 
Started by Fredrick Ughimi - Last post by Fredrick Ughimi
Hello CJ,

Thanks as always.

Both samples code works good. I think I would go with the second one. I did something similar to that earlier.

The tricky part is:
Quote
2. Automatically upload records entered in local database to the remote server when the internet connection is available.

The client computers are multiple, not just one.


 10 
 on: December 06, 2018, 02:06:08 PM 
Started by Fredrick Ughimi - Last post by cj
I don't think slpushdatabase and slpopdatabase will help much
The big thing is keep the databases in sync and how to prevent duplicate keys from being rejected.
I'm thinking like an ATM machine can't give out money if central server is down.
One thing about cloud computing is the data is duplicated and maintained by different locations.
Some may not know that they have to pay for that duplicated data if sent to different servers.
Is cloud safer and more secure?  Yes, in my opinion.  Sorry for getting off subject.

#DIM ALL
#INCLUDE "sqlitening.inc"
GLOBAL gConnect AS LONG
'-------------------------------------------------------
FUNCTION PBMAIN () AS LONG
 LOCAL x,ecode,portnumber AS LONG
 LOCAL sHost AS STRING
 slSetProcessMods "E0"

 sHost = "192.168.0.12"
 PortNumber = 80

 FOR x = 1 TO 1 'try multiple times to connect
  ecode = slConnect(shost,portnumber)
  IF ecode = 0 THEN gConnect = 1:EXIT FOR ELSE BEEP
 NEXT
 IF gConnect = 0 THEN
  IF MSGBOX("Could not connect, work local?",%MB_YESNO OR %MB_SYSTEMMODAL,"Connect error") = %IDNO THEN
   ? "Ending the program",%MB_SYSTEMMODAL,"Thank you"
   EXIT FUNCTION
  END IF
 END IF

 IF gConnect THEN
  slDisconnect
  ? "disconnect and end"
 ELSE
  ? "end"
 END IF
END FUNCTION

Pages: [1] 2 3 ... 10