materix
Posts: 161
|
| Posted: 08/04/2008, 6:04 AM |
|
Hello.
When using a grid on a webpage, it is normal to set a url (GET) table parameter via the visual query builder, to set the where clause.
I am now wondering, if this is a safe method with regards to all the sql injection viruses around these days? I saw somewhere on the forums, that the ToSQL-method ensures the parameter, but it this method called when using a table parameter in a grid?
|
 |
 |
wkempees
Posts: 1679
|
| Posted: 08/05/2008, 3:49 AM |
|
Good question.
_________________
Origin: NL, T:GMT+1 (Forumtime +9)
CCS3/4.01.006 PhP, MySQL .Net/InMotion(Vista/XP, XAMPP)
if you liked this info PAYPAL me: http://donate.consultair.eu
|
|
|
|
CCT
Posts: 44
|
| Posted: 08/07/2008, 12:44 AM |
|
Yes, it's used for such WHERE parameters. You can find it if you dig further into generated code.
I've investigated such concerns once and seems like everything that CCS generates should be considered safe (against SQL injections) and security problems may arise in custom code only. Alsoin my custom code I mostly use CCBuildUpdate/CCBuildInsert, they also have "ToSQL" escaping inside them, so I don't need to worry about this. So I mostly use ToSQL escaping in CCDLookUp where condition and in custom SELECT queries (rather rare in my case).
Regarding the client part, problems can quickly arise if you use "HTML" type Label, they have no escaping and you can easily get XSS vulnerabilities on your site. So either filter HTML yourself or use "Text" type Labels. That's hopefully obvious for all CCS developers, but from my experience it seems to be more common problem than SQL-injection one.
_________________
Get more CodeCharge Studio builders at http://codechargetools.com |
|
|
|
materix
Posts: 161
|
| Posted: 08/07/2008, 3:37 AM |
|
Frank, thank you for the insight. (And your fantastic CC Tools  ) I will then start using CCBuildUpdate and CCBuildInsert in the future.
|
|
|
|
|
