Positive for fP

Walter Vaughan wvaughan at steelerubber.com
Tue May 30 05:25:36 PDT 2006


Fairlight wrote:

> POINT:  Natively, assuming it talks to no SQL databases using data
> supplied, filePro is completely immune to SQL injection attacks.

The latest one have seen an advisory about is supplying a UTF-8 Unicode 
character string to postgresql that is valid as both a single character and as a 
character/escape sequence.

I don't think I have knowingly worked filePro with UTF-8 (other than the 
"normal" ascii range). Whatever you wrap filePro around in a web environment, 
the developer must have all fields cleaned before passing it to the wrapping 
system's system command or else someone can wreak havoc if that is their desire.

I've watched enough movies and TV to know that even cleaning variables aren't 
enough. Those folks on CSI can get into any computer system in seconds.

--
Walter


More information about the Filepro-list mailing list