FiveTech Software tech support forums

[Jimmy]

hi,

i saw Name "id" for PRIMARY KEY in PostgreSQL Sample

does Fivewin use Name "id" as default also for "other" SQL

[Rick Lipkin]

Jimmy .. you can use any value you want to name your Primary key ..When I create all my Sql Tables I use the name of the table +EID .. example I have a table names "User" .. so the primary key I would create would be "UserEID"

Totally you choice on how to name your primary key .. ps I do not use the "Auto" incremating feature .. I create my Primary key values myself .. Auto incremating Primary keys lend themselves to Sql Injection attacks ..

Rick

[nageswaragunupudi]

does Fivewin use Name "id" as default also for "other" SQL

Yes, by default for autoincrement primary field.
Programmer can choose different field names.

FWH functions allow specifying the structure of a table using a structure like DBSTRUCT(). FWH creates the required SQL for creating the table using the structure internally and creates the table. Using FWH functions for creating tables has the benefit of portability across different RDBMSs

[Jimmy]

hi,

ok, understand

@Rick
are your User Name UNIQUE

Auto incremating Primary keys lend themselves to Sql Injection attacks

did you have a Sample to show the Problem

[Rick Lipkin]

Jimmy

I create my own primary keys that way I control when a table is appended .. if you use auto increment an attacker could force an table append or "Inject" records into your tables and the database doesn't care .. the primary keys are generated automatically .. for me I create ALL my primary keys programmatically to is someone infiltrates my database security and tries to create ne records or "Inject" ( append ) records they will fail because there is no primary key and the injection fails ..

Just something to keep in mind .. .

[nageswaragunupudi]

Jimmy

I create my own primary keys that way I control when a table is appended .. if you use auto increment an attacker could force an table append or "Inject" records into your tables and the database doesn't care .. the primary keys are generated automatically .. for me I create ALL my primary keys programmatically to is someone infiltrates my database security and tries to create ne records or "Inject" ( append ) records they will fail because there is no primary key and the injection fails ..

Just something to keep in mind .. .

I am not fully convinced.
Can you please provide an example of a FWH program where a regular user can "inject" ?

[Rick Lipkin]

Rao

I am not talking about a regular user .. I am talking about a cyber attacker who wishes to gain control of your application and then try to insert or "Inject" malicious rows into your database .. If you have autoincrement set on your primary key .. there is nothing to stop a malicious attack to insert new rows into your SQL table. If I, on the other hand, have a routine on append to create programmatically to create a unique ID .. I don't have to worry about a hacker getting into my sql machine and trying to inject bogus rows because you can not append without a Primary key value ..

Code: Select all  Expand view

//-------------------
Static Func _GenEid()

// generate a unique primary key


LOCAL nRAND,cRand
LOCAL oRs, cSQL, oERR

oRs:= TOleAuto():New( "ADODB.Recordset" )
oRs:CursorType     := 1        // opendkeyset
oRs:CursorLocation := 3        // local cache
oRs:LockType       := 3        // lockoportunistic

cSQL := "SELECT UserEid from UserInfo"

TRY
   oRs:Open( cSQL,xCONNECT )
CATCH oErr
   MsgInfo( "Error in Opening USERINFO table to Create Unique EID" )
   RETURN("BOGUS")
END TRY

DO WHILE .T.

   nRAND := nRANDOM(10000000000000000)

   // 1 is reserved and 0 is a null key //

   IF nRAND = 1 .or. nRAND = 0 .or. nRAND = NIL
      LOOP
   ENDIF

   cRAND := STR(nRAND,17)

   IF oRs:eof
   ELSE
      oRs:MoveFirst()
      oRs:Find("UserEid = '"+cRAND+"'" )
   ENDIF

   IF oRs:eof
      EXIT
   ELSE
      LOOP
   ENDIF

   EXIT

ENDDO

oRs:Close()
oRs := nil

RETURN( cRAND )


 

[nageswaragunupudi]

I am not asking how do generate unique primary key.
I am asking for an example of an FWH program, using which SQLI (sql injection) is possible.

[Rick Lipkin]

Rao .. I do not have an answer .. My "primary key procedure" is more of a preventative measure to keep attackers (from using whatever means) to hack my tables and covertly insert rows .

Rick Lipkin

[nageswaragunupudi]

It all depends on our program.
Not on autoinc keys
We will discuss about SQLI after a few days.