SQLitening Support Forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to the SQLitening support forums!

Author Topic: Security  (Read 1040 times)

D. Wilson

  • Guru
  • ***
  • Posts: 198
    • View Profile
Security
« on: September 03, 2015, 07:06:05 PM »

Using Sqlitening - What measures should be adopted to prevent SQL Injection attacks. Any thoughts would be appreciated.
Logged

Bern Ertl

  • Master Geek
  • ****
  • Posts: 496
  • Excellent
    • View Profile
    • InterPlan Systems
Re: Security
« Reply #1 on: September 04, 2015, 08:16:11 AM »

You can use triggers to do some basic data validation.  That could prevent, for example:

string fields from exceeding a certain length
string fields from matching certain patterns (like SQL statements)
etc.

Bern Ertl

  • Master Geek
  • ****
  • Posts: 496
  • Excellent
    • View Profile
    • InterPlan Systems
Re: Security
« Reply #2 on: September 04, 2015, 08:34:31 AM »

Code: [Select]
CREATE TRIGGER fku_Validate_xTable_xField BEFORE UPDATE OF xField ON [xTable] FOR EACH ROW WHEN length( New.xField) > 20
   BEGIN
      SELECT RAISE(ROLLBACK, 'update on table xTable violates field length constraint');
   END;

I think you could try using the LIKE or GLOB operators to check pattern matching, but you could always roll your own custom function to use PowerBASIC's REGEXP string functions too:

http://www.sqlitening.com/support/index.php?topic=2936.0;nowap

BTW - I think that (ie. not tested) adding a trigger that calls a custom proc will guarantee failure of any update (insert or delete according to the nature of the trigger) if the custom function isn't loaded (another possible layer of security preventing manipulation of the DB outside from a 3rd party source [or directly]).
« Last Edit: September 04, 2015, 08:38:27 AM by Bern Ertl »
Logged

cj

  • Master Geek
  • ****
  • Posts: 700
    • View Profile
Re: Security
« Reply #3 on: December 19, 2018, 08:03:06 PM »

Quote
Using Sqlitening - What measures should be adopted to prevent SQL Injection attacks. Any thoughts would be appreciated.

This is an old thread from 2015, but these answers were not given.
Today is 12/19/2018.

slExeBind
slSelBind
https://www.sqlitening.planetsquires.com/index.php?topic=9730.msg26326;topicseen#msg26326

Thoughts:
I've wondered who would inject the code in a local network?
If they can inject code they can just as easily write sql statements or delete a database.
If used over the internet the transmits should be encrypted so they shouldn't be able to inject.

I like slExeBind because text can be inserted "as is" without needing to wrap text with $SQ and also wrap embedded $SQ's.
« Last Edit: December 19, 2018, 08:42:42 PM by cj »
Logged