Positive for fP
Walter Vaughan
wvaughan at steelerubber.com
Tue May 30 05:25:36 PDT 2006
Fairlight wrote:
> POINT: Natively, assuming it talks to no SQL databases using data
> supplied, filePro is completely immune to SQL injection attacks.
The latest one have seen an advisory about is supplying a UTF-8 Unicode
character string to postgresql that is valid as both a single character and as a
character/escape sequence.
I don't think I have knowingly worked filePro with UTF-8 (other than the
"normal" ascii range). Whatever you wrap filePro around in a web environment,
the developer must have all fields cleaned before passing it to the wrapping
system's system command or else someone can wreak havoc if that is their desire.
I've watched enough movies and TV to know that even cleaning variables aren't
enough. Those folks on CSI can get into any computer system in seconds.
--
Walter
More information about the Filepro-list
mailing list