[ic] Steven Potter

Tuyo Board interchange-users@interchange.redhat.com
Sun Jan 13 13:26:02 2002


Quoting Steven Potter (potter@softhome.net):
 Kevin Walsh wrote:

-I would like to write some of the users order information to a different
-table in the database for statistical use.  What is the best way to
-approch this?  I know I could do it with a [query sql=insert into ....]
-but that doesn't strike me as very secure.  What other methods would you
-suggest?  I searched the archives and didn't find anything, but if you
-know of a thread, point me there.

--Although I don't understand your security concern with [query] and SQL,
--I would suggest you edit the catalogue's etc/log_transaction file.
--Copy the existing method of writing to the transactions table, but use
--your own table name and contents.

-The security concern with [query] is that if I had a statement like the
-following:

-[query sql=INSERT INTO table VALUES('[first_name]',.....]

-What if the user was to enter something like this into the first_name
field:

-; DELETE FROM table WHERE 1=1;

-That could cause some serious problems...

--No. It is a separate query, and Interchange doesn't use a(n) SQL shell
--to process commands -- each query must be distinct. So the query would
--fail as invalid.


TRUE TRUE, but sometime ago I had to do something like the such...

My client wanted to make a "points per sale promotion".

But fixed it in a complete diferent manner.

In the page that prints out the last recipt, I opend a POPUP page anouncing
how many "point" did the buyer got for the buy. This page would talk to
MySQL and add all the info in the table.

Secuity issues got the best from me, and Yes, I did a unique code for each
transaction so that no one could add points to the database via source
code....

Alternate way? YES

Efective? 24 hour production.

No so IC? Yes

Did it work? Yes.

Thought it could be usefull...