• Welcome, Guest. Please login.
 
May 25, 2019, 01:42:13 am

News:

Welcome to the SQLitening support forums!


Security

Started by D. Wilson, September 03, 2015, 09:36:05 pm

Previous topic - Next topic

D. Wilson

Using Sqlitening - What measures should be adopted to prevent SQL Injection attacks. Any thoughts would be appreciated.

Bern Ertl

You can use triggers to do some basic data validation.  That could prevent, for example:

string fields from exceeding a certain length
string fields from matching certain patterns (like SQL statements)
etc.

Bern Ertl

September 04, 2015, 11:04:31 am #2 Last Edit: September 04, 2015, 11:08:27 am by Bern Ertl

CREATE TRIGGER fku_Validate_xTable_xField BEFORE UPDATE OF xField ON [xTable] FOR EACH ROW WHEN length( New.xField) > 20
   BEGIN
      SELECT RAISE(ROLLBACK, 'update on table xTable violates field length constraint');
   END;


I think you could try using the LIKE or GLOB operators to check pattern matching, but you could always roll your own custom function to use PowerBASIC's REGEXP string functions too:

http://www.sqlitening.com/support/index.php?topic=2936.0;nowap

BTW - I think that (ie. not tested) adding a trigger that calls a custom proc will guarantee failure of any update (insert or delete according to the nature of the trigger) if the custom function isn't loaded (another possible layer of security preventing manipulation of the DB outside from a 3rd party source [or directly]).

cj

December 19, 2018, 09:33:06 pm #3 Last Edit: December 19, 2018, 10:12:42 pm by cj
QuoteUsing Sqlitening - What measures should be adopted to prevent SQL Injection attacks. Any thoughts would be appreciated.


This is an old thread from 2015, but these answers were not given.
Today is 12/19/2018.

slExeBind
slSelBind
https://www.sqlitening.planetsquires.com/index.php?topic=9730.msg26326;topicseen#msg26326

Thoughts:
I've wondered who would inject the code in a local network?
If they can inject code they can just as easily write sql statements or delete a database.
If used over the internet the transmits should be encrypted so they shouldn't be able to inject.

I like slExeBind because text can be inserted "as is" without needing to wrap text with $SQ and also wrap embedded $SQ's.