lema Posted October 14, 2011 Posted October 14, 2011 By the way, I see you never developed for the WEB before. Such code SQL.Add('SELECT * FROM Actif '); SQL.Add('WHERE (act_id='''+ IntToStr(FrmClientInput.idActif)+''')'); is asking for SQL Injection attack if you try to insert some user input. For the love of god, please at least use query parameters instead. Even better go read something about safe web programming. Really , what is the appropriate way to avoid SQL Injection attacks? Can you please show a fast guide of things we should and should not do during web programming? Quote
ibandyop Posted October 14, 2011 Posted October 14, 2011 Use Params to pass user input values to your database., like this qry.SQL.Text := 'update users set name=:name where uid=:uid'; qry.Prepare; qry.ParamByName( 'name' ).AsString := Sanitize(edname.txt); qry.ParamByName( 'uid' ).AsInteger := uid; // not user input qry.ExecSQL; Sanitize depends on database., If using Zeos with Mysql you can use mysql_real_escape_string() in ZPlainMySqlDriver.pas Unfortunately there is no quick solution www.symantec.com/connect/articles/detection-sql-injection-and-cross-site-scripting-attacks 25yearsofprogramming.com/blog/2011/20110205.htm st-curriculum.oracle.com/tutorial/SQLInjection/index.htm msdn.microsoft.com/en-us/library/ms161953(loband).aspx Quote
rsanford Posted October 14, 2011 Posted October 14, 2011 Attached are some guidelines and checklists from MS, might be helpful. Threats_Countermeasures.pdf Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.