lema Posted October 14, 2011 Share Posted October 14, 2011 By the way, I see you never developed for the WEB before. Such code SQL.Add('SELECT * FROM Actif '); SQL.Add('WHERE (act_id='''+ IntToStr(FrmClientInput.idActif)+''')'); is asking for SQL Injection attack if you try to insert some user input. For the love of god, please at least use query parameters instead. Even better go read something about safe web programming. Really , what is the appropriate way to avoid SQL Injection attacks? Can you please show a fast guide of things we should and should not do during web programming? Quote Link to comment Share on other sites More sharing options...
ibandyop Posted October 14, 2011 Share Posted October 14, 2011 Use Params to pass user input values to your database., like this qry.SQL.Text := 'update users set name=:name where uid=:uid'; qry.Prepare; qry.ParamByName( 'name' ).AsString := Sanitize(edname.txt); qry.ParamByName( 'uid' ).AsInteger := uid; // not user input qry.ExecSQL; Sanitize depends on database., If using Zeos with Mysql you can use mysql_real_escape_string() in ZPlainMySqlDriver.pas Unfortunately there is no quick solution www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks 25yearsofprogramming.com/blog/2011/20110205.htm st-curriculum.oracle.com/tutorial/SQLInjection/index.htm msdn.microsoft.com/en-us/library/ms161953(loband).aspx Quote Link to comment Share on other sites More sharing options...
rsanford Posted October 14, 2011 Share Posted October 14, 2011 Attached are some guidelines and checklists from MS, might be helpful. Threats_Countermeasures.pdf Quote Link to comment Share on other sites More sharing options...
lema Posted October 15, 2011 Author Share Posted October 15, 2011 Thank you all! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.