Re: TDBC documentation, examples, syntax?

On Mar 5, 2:33 pm, Neil Madden <n...@xxxxxxxxxxxxx> wrote:
tom.rmadilo wrote:

[...]

SQL injection cannot be handled correctly beyond the first layer. The
only function of the first layer is to distinguish between code and
data.

Umm... what? Firstly, code *is* data. That is the entire problem. What
you mean is that the database interface needs to be able to distinguish
between data that is intended to be interpreted as an SQL query, and
that which is intended to be interpreted as e.g. an integer or string or
some other data type. The idea that this distinction can only be made
when data enters a system is utter nonsense, and indeed Tcl itself is a
quite handy proof by contradiction. Tcl delays interpreting values for
as long as possible, and yet still manages to distinguish different data
types just fine.

Interpretation of values is unimportant, separation of code and data
is essential, in fact that is all there is to it. When and/if you
combine data and code into a query, you might (depending on the
environment) need to "sanitize" the data, but all that means is you
use the query syntax to keep code and data separate once combined.

I guess what is surprising to me is that this is considered unique.
Handling Tcl code as "data" presents the same potential problem, just
as handling HTML inside a web form. In fact, just directly serving a
PDF file from your website can compromise your user's computer, and
maybe your website, assuming a third party malicious link. (http://
rmadilo.com/files/pdf-exploit/).

Anyway, I think I understand the issue, I understand that lots of
programmers don't understand the issue, but I don't understand why.
Maybe most programmers are more optimistic that I am. I assume
disaster and plan accordingly.

Also, I never even hinted that TDBC contained any exploits. My
assumption was that it was safe from SQL injection and any other
potential attack.

tom jackson

.

Relevant Pages

  • Microsoft Cleanliness
    ... I guess I've been working with A97 too long. ... In the database window they added a couple of wizards to clutter it up instead of. ... MS preceeds each table with the word TABLE and each query with "QUERY". ... I guess MS programmers have never heard a dropdown can have more than one column. ...
    (comp.databases.ms-access)
  • Re: Tcl Marketing (Goodbye...)
    ... version releases of obscure extensions. ... The website should offer a more formalized ... presentation of new ideas proven in the wiki. ... Of course, TCL ...
    (comp.lang.tcl)
  • Re: Finding a niche for Tcl
    ... what I've seen is a distain for scripting programmers, ... For Tcl, it's less ... I'd say I picked up a working subset of Java "on the job", ... "args" from one proc to another as multiple args, ...
    (comp.lang.tcl)
  • Re: Ordering a filtered proximity search
    ... from VB programmers in the MSDN Forum. ... with multiple filters that derive from the specific appended query ... and that 1 should be in the value position, not in the datatype position ...
    (microsoft.public.sqlserver.fulltext)
  • Re: Ordering a filtered proximity search
    ... from VB programmers in the MSDN Forum. ... with multiple filters that derive from the specific appended query ... and that 1 should be in the value position, not in the datatype position ...
    (microsoft.public.sqlserver.fulltext)