Sybase NNTP forums - End Of Life (EOL)

The NNTP forums from Sybase - forums.sybase.com - are now closed.

All new questions should be directed to the appropriate forum at the SAP Community Network (SCN).

Individual products have links to the respective forums on SCN, or you can go to SCN and search for your product in the search box (upper right corner) to find your specific developer center.

Protection from SQL Injection in DW.NT

6 posts in DataWindow .NET Last posting was on 2004-08-20 03:55:23.0Z
Tim Cavanaugh Posted on 2004-08-17 23:59:00.0Z
From: "Tim Cavanaugh" <tim.cavanaugh@covance.com>
Newsgroups: sybase.public.datawindow.net
Subject: Protection from SQL Injection in DW.NT
Lines: 10
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
NNTP-Posting-Host: 66.89.198.163.ptr.us.xo.net
X-Original-NNTP-Posting-Host: 66.89.198.163.ptr.us.xo.net
Message-ID: <41229bc4$1@forums-1-dub>
Date: 17 Aug 2004 16:59:00 -0700
X-Trace: forums-1-dub 1092787140 66.89.198.163 (17 Aug 2004 16:59:00 -0700)
X-Original-Trace: 17 Aug 2004 16:59:00 -0700, 66.89.198.163.ptr.us.xo.net
X-Authenticated-User: pbtenbeta
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.datawindow.net:155
Article PK: 124588

I know from reading messages in this forum that the DW.NET will be expanded
to handle Web Forms in about 6 months. Are there plans to protect against
SQL Injection in DW.NET? By protection from SQL Injection, I mean
preventing the user from entering data in a field on a Web Form that will
terminate the Select statement that DW.NET is composing and follow it with
an Insert, Delete or Update statement to sneek bad data into the database.
It would be nice if the DW.NET had a settable property that would throw an
Exception if the property was set to True and SQL Injection was detected.


dfish Posted on 2004-08-18 09:42:32.0Z
From: dfish@_no_spam_sybase.com (Dave Fish [Team Sybase])
Newsgroups: sybase.public.datawindow.net
Subject: Re: Protection from SQL Injection in DW.NT
Organization: Sybase Professional Services
Reply-To: nospam_dfish@sybase.com_nospam
Message-ID: <41232105.553586@forums.sybase.com>
References: <41229bc4$1@forums-1-dub>
X-Newsreader: Forte Free Agent 1.21/32.243
NNTP-Posting-Host: vpn-concord-026.sybase.com
X-Original-NNTP-Posting-Host: vpn-concord-026.sybase.com
Date: 18 Aug 2004 02:42:32 -0700
X-Trace: forums-1-dub 1092822152 158.159.8.26 (18 Aug 2004 02:42:32 -0700)
X-Original-Trace: 18 Aug 2004 02:42:32 -0700, vpn-concord-026.sybase.com
Lines: 28
X-Authenticated-User: TeamSybase
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.datawindow.net:156
Article PK: 124587

Can you provide a more specific example of how this might work? I'm
having trouble visualizing it.

As it works now, the code for the DataWindow is run on the server and
the only thing rendered in the browser is HTML and Javascript (for
client side formatting and validation as well as events.

There is no database connectivity from the browser so I can't see how
something like this could occur.

Regards,
Dave Fish
Sybase

On 17 Aug 2004 16:59:00 -0700, "Tim Cavanaugh"

<tim.cavanaugh@covance.com> wrote:

>I know from reading messages in this forum that the DW.NET will be expanded
>to handle Web Forms in about 6 months. Are there plans to protect against
>SQL Injection in DW.NET? By protection from SQL Injection, I mean
>preventing the user from entering data in a field on a Web Form that will
>terminate the Select statement that DW.NET is composing and follow it with
>an Insert, Delete or Update statement to sneek bad data into the database.
>It would be nice if the DW.NET had a settable property that would throw an
>Exception if the property was set to True and SQL Injection was detected.
>
>


Tim Cavanaugh Posted on 2004-08-18 17:37:40.0Z
From: "Tim Cavanaugh" <tim.cavanaugh@covance.com>
Newsgroups: sybase.public.datawindow.net
References: <41229bc4$1@forums-1-dub> <41232105.553586@forums.sybase.com>
Subject: Re: Protection from SQL Injection in DW.NT
Lines: 68
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
NNTP-Posting-Host: 66.89.198.163.ptr.us.xo.net
X-Original-NNTP-Posting-Host: 66.89.198.163.ptr.us.xo.net
Message-ID: <412393e4@forums-1-dub>
Date: 18 Aug 2004 10:37:40 -0700
X-Trace: forums-1-dub 1092850660 66.89.198.163 (18 Aug 2004 10:37:40 -0700)
X-Original-Trace: 18 Aug 2004 10:37:40 -0700, 66.89.198.163.ptr.us.xo.net
X-Authenticated-User: pbtenbeta
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.datawindow.net:159
Article PK: 124590

The following is an example of my understanding of what SQL Injection is.
Suppose that your app has a Form containing a field for the "last_name"
column. If the user enters the following value in the "last_name" field
; delete * from person;
then the dynamically created "update statement" would delete all the rows in
the "person" table; this assumes that the user correctly guessed that your
app has a "person" table. The above also assumes that the database uses ";"
to separate multiple SQL statements.

SQL Injection is the argument that many use to say that you should always
use "stored procedures" to access a database for security reasons.

In most client/server apps, SQL Injection is not usually a problem because
you require a "login" and thus assume that the user is not malicious. But
in Web Apps, you either don't require a "login" or it is easy to obtain a
valid "Login ID"

In my opinion, using "stored procedures" makes coding much more difficult
and I would like to use the power of DW.NET to dynamically create the
"insert", "update" and "delete" statements for me. I think that it would be
nice to have a property associated with the DW(that when set to True) would
require DW.NET to search for any SQL Injection and raise an Exception when
it detects an attempt at SQL Injection.

I know that the programmer could check the syntax of the "update statement"
before allowing it to be executed, but that would require every programmer
to be a SQL Injection expert in every database that they use. It makes more
sense if it was done once by a SQL Injection expert within DW.NET.

"Dave Fish [Team Sybase]" <dfish@_no_spam_sybase.com> wrote in message
news:41232105.553586@forums.sybase.com...
> Can you provide a more specific example of how this might work? I'm
> having trouble visualizing it.
>
> As it works now, the code for the DataWindow is run on the server and
> the only thing rendered in the browser is HTML and Javascript (for
> client side formatting and validation as well as events.
>
> There is no database connectivity from the browser so I can't see how
> something like this could occur.
>
> Regards,
> Dave Fish
> Sybase
>
> On 17 Aug 2004 16:59:00 -0700, "Tim Cavanaugh"
> <tim.cavanaugh@covance.com> wrote:
>
> >I know from reading messages in this forum that the DW.NET will be
expanded
> >to handle Web Forms in about 6 months. Are there plans to protect
against
> >SQL Injection in DW.NET? By protection from SQL Injection, I mean
> >preventing the user from entering data in a field on a Web Form that will
> >terminate the Select statement that DW.NET is composing and follow it
with
> >an Insert, Delete or Update statement to sneek bad data into the
database.
> >It would be nice if the DW.NET had a settable property that would throw
an
> >Exception if the property was set to True and SQL Injection was detected.
> >
> >
>


Bruce Armstrong [TeamSybase] Posted on 2004-08-18 23:48:36.0Z
From: "Bruce Armstrong [TeamSybase]" <NOCANSPAM_bruce.armstrong@teamsybase.com>
Newsgroups: sybase.public.datawindow.net
Subject: Re: Protection from SQL Injection in DW.NT
Organization: TeamSybase
Reply-To: NOCANSPAM_bruce.armstrong@teamsybase.com
Message-ID: <h0p7i0tsfaf5pk5d37qq7nc8f8n2o21b2i@4ax.com>
References: <41229bc4$1@forums-1-dub> <41232105.553586@forums.sybase.com> <412393e4@forums-1-dub>
X-Newsreader: Forte Agent 2.0/32.646
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
NNTP-Posting-Host: 65.82.140.161
X-Original-NNTP-Posting-Host: 65.82.140.161
Date: 18 Aug 2004 16:48:36 -0700
X-Trace: forums-1-dub 1092872916 65.82.140.161 (18 Aug 2004 16:48:36 -0700)
X-Original-Trace: 18 Aug 2004 16:48:36 -0700, 65.82.140.161
Lines: 118
X-Authenticated-User: TeamSybase
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.datawindow.net:164
Article PK: 124596

I've tried it with both inserts and updates, with binding on and off.
If you enter "; delete * from employee;" for a column, the DataWindow
pretty much just stores that value in the database. Basically there's
not much you can't put into the datawindow columns that the datawindow
won't just handle as simple data.

Basically the issue occurs whent the application receiving the data
doesn't handle embedded delimiters correctly:

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci996071,00.html

The DataWindow is real good about handling them properly.

On 18 Aug 2004 10:37:40 -0700, "Tim Cavanaugh"

<tim.cavanaugh@covance.com> wrote:

>The following is an example of my understanding of what SQL Injection is.
>Suppose that your app has a Form containing a field for the "last_name"
>column. If the user enters the following value in the "last_name" field
> ; delete * from person;
>then the dynamically created "update statement" would delete all the rows in
>the "person" table; this assumes that the user correctly guessed that your
>app has a "person" table. The above also assumes that the database uses ";"
>to separate multiple SQL statements.
>
>SQL Injection is the argument that many use to say that you should always
>use "stored procedures" to access a database for security reasons.
>
>In most client/server apps, SQL Injection is not usually a problem because
>you require a "login" and thus assume that the user is not malicious. But
>in Web Apps, you either don't require a "login" or it is easy to obtain a
>valid "Login ID"
>
>In my opinion, using "stored procedures" makes coding much more difficult
>and I would like to use the power of DW.NET to dynamically create the
>"insert", "update" and "delete" statements for me. I think that it would be
>nice to have a property associated with the DW(that when set to True) would
>require DW.NET to search for any SQL Injection and raise an Exception when
>it detects an attempt at SQL Injection.
>
>I know that the programmer could check the syntax of the "update statement"
>before allowing it to be executed, but that would require every programmer
>to be a SQL Injection expert in every database that they use. It makes more
>sense if it was done once by a SQL Injection expert within DW.NET.
>
>
>
>"Dave Fish [Team Sybase]" <dfish@_no_spam_sybase.com> wrote in message
>news:41232105.553586@forums.sybase.com...
>> Can you provide a more specific example of how this might work? I'm
>> having trouble visualizing it.
>>
>> As it works now, the code for the DataWindow is run on the server and
>> the only thing rendered in the browser is HTML and Javascript (for
>> client side formatting and validation as well as events.
>>
>> There is no database connectivity from the browser so I can't see how
>> something like this could occur.
>>
>> Regards,
>> Dave Fish
>> Sybase
>>
>> On 17 Aug 2004 16:59:00 -0700, "Tim Cavanaugh"
>> <tim.cavanaugh@covance.com> wrote:
>>
>> >I know from reading messages in this forum that the DW.NET will be
>expanded
>> >to handle Web Forms in about 6 months. Are there plans to protect
>against
>> >SQL Injection in DW.NET? By protection from SQL Injection, I mean
>> >preventing the user from entering data in a field on a Web Form that will
>> >terminate the Select statement that DW.NET is composing and follow it
>with
>> >an Insert, Delete or Update statement to sneek bad data into the
>database.
>> >It would be nice if the DW.NET had a settable property that would throw
>an
>> >Exception if the property was set to True and SQL Injection was detected.
>> >
>> >
>>
>

Bruce Armstrong [TeamSybase]
http://www.teamsybase.com

TeamSybase blogs:
http://www.teamsybase.net/blogs

Vote for PocketBuilder in the Mobile Village awards
http://www.mobilevillage.com/awards.htm

Two 3rd party books on developing with PowerBuilder
http://www.pb9books.com?source=newsgroups

Need code sample? Check out CodeXchange:
http://www.codexchange.sybase.com

Preach the gospel at all times. If necessary, use words. - Francis of Assisi
http://www.needhim.org

---------------------------------------------------------------------
DISCLAIMER:

This newsgroup message is only intended for the recipient. Given that it
is a posting to a public newsgroup, that means if you can read this
message then you are the recipient. This message may contain information
that is confidential and protected from disclosure. And then again,
it may not.

Given that TeamSybase members are not employees of Sybase, the contents
of this message do not necessarily represent the views or policies of
Sybase. Given that TeamSybase is a diverse group of users of Sybase
products, the contents of this message do not necessarily represent the
views of a significant number of the members of TeamSybase. Given that the
author has multiple personalities and hears voices in his head, the contents
of this message do not necessarily represent his own views.


"Pat Madigan" <patm Posted on 2004-08-19 14:04:08.0Z
From: "Pat Madigan" <patm@_nospamforme_gscutah.com>
Newsgroups: sybase.public.datawindow.net
References: <41229bc4$1@forums-1-dub> <41232105.553586@forums.sybase.com> <412393e4@forums-1-dub> <h0p7i0tsfaf5pk5d37qq7nc8f8n2o21b2i@4ax.com>
Subject: Re: Protection from SQL Injection in DW.NT
Lines: 147
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
X-Original-NNTP-Posting-Host: mail.gscutah.com
Message-ID: <4124b4b1@forums-2-dub>
X-Original-Trace: 19 Aug 2004 07:09:53 -0700, mail.gscutah.com
X-Original-NNTP-Posting-Host: forums-2-dub.sybase.com
X-Original-Trace: 19 Aug 2004 06:54:39 -0700, forums-2-dub.sybase.com
NNTP-Posting-Host: forums-master.sybase.com
X-Original-NNTP-Posting-Host: forums-master.sybase.com
Date: 19 Aug 2004 07:04:08 -0700
X-Trace: forums-1-dub 1092924248 10.22.108.75 (19 Aug 2004 07:04:08 -0700)
X-Original-Trace: 19 Aug 2004 07:04:08 -0700, forums-master.sybase.com
X-Authenticated-User: ngsysop
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.datawindow.net:169
Article PK: 124600

That's huge. I hope that the marketing folks remember to mention that when
they start advertising dw.net to the rest of the software development world.
Normally, making database-aware web pages injection proof is kind of a pain,
at least it is using ASP and .NET.

Pat

"Bruce Armstrong [TeamSybase]" <NOCANSPAM_bruce.armstrong@teamsybase.com>

wrote in message news:h0p7i0tsfaf5pk5d37qq7nc8f8n2o21b2i@4ax.com...
> I've tried it with both inserts and updates, with binding on and off.
> If you enter "; delete * from employee;" for a column, the DataWindow
> pretty much just stores that value in the database. Basically there's
> not much you can't put into the datawindow columns that the datawindow
> won't just handle as simple data.
>
> Basically the issue occurs whent the application receiving the data
> doesn't handle embedded delimiters correctly:
>
>
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci996071,00.html
>
> The DataWindow is real good about handling them properly.
>
> On 18 Aug 2004 10:37:40 -0700, "Tim Cavanaugh"
> <tim.cavanaugh@covance.com> wrote:
>
> >The following is an example of my understanding of what SQL Injection is.
> >Suppose that your app has a Form containing a field for the "last_name"
> >column. If the user enters the following value in the "last_name" field
> > ; delete * from person;
> >then the dynamically created "update statement" would delete all the rows
in
> >the "person" table; this assumes that the user correctly guessed that
your
> >app has a "person" table. The above also assumes that the database uses
";"
> >to separate multiple SQL statements.
> >
> >SQL Injection is the argument that many use to say that you should always
> >use "stored procedures" to access a database for security reasons.
> >
> >In most client/server apps, SQL Injection is not usually a problem
because
> >you require a "login" and thus assume that the user is not malicious.
But
> >in Web Apps, you either don't require a "login" or it is easy to obtain a
> >valid "Login ID"
> >
> >In my opinion, using "stored procedures" makes coding much more difficult
> >and I would like to use the power of DW.NET to dynamically create the
> >"insert", "update" and "delete" statements for me. I think that it would
be
> >nice to have a property associated with the DW(that when set to True)
would
> >require DW.NET to search for any SQL Injection and raise an Exception
when
> >it detects an attempt at SQL Injection.
> >
> >I know that the programmer could check the syntax of the "update
statement"
> >before allowing it to be executed, but that would require every
programmer
> >to be a SQL Injection expert in every database that they use. It makes
more
> >sense if it was done once by a SQL Injection expert within DW.NET.
> >
> >
> >
> >"Dave Fish [Team Sybase]" <dfish@_no_spam_sybase.com> wrote in message
> >news:41232105.553586@forums.sybase.com...
> >> Can you provide a more specific example of how this might work? I'm
> >> having trouble visualizing it.
> >>
> >> As it works now, the code for the DataWindow is run on the server and
> >> the only thing rendered in the browser is HTML and Javascript (for
> >> client side formatting and validation as well as events.
> >>
> >> There is no database connectivity from the browser so I can't see how
> >> something like this could occur.
> >>
> >> Regards,
> >> Dave Fish
> >> Sybase
> >>
> >> On 17 Aug 2004 16:59:00 -0700, "Tim Cavanaugh"
> >> <tim.cavanaugh@covance.com> wrote:
> >>
> >> >I know from reading messages in this forum that the DW.NET will be
> >expanded
> >> >to handle Web Forms in about 6 months. Are there plans to protect
> >against
> >> >SQL Injection in DW.NET? By protection from SQL Injection, I mean
> >> >preventing the user from entering data in a field on a Web Form that
will
> >> >terminate the Select statement that DW.NET is composing and follow it
> >with
> >> >an Insert, Delete or Update statement to sneek bad data into the
> >database.
> >> >It would be nice if the DW.NET had a settable property that would
throw
> >an
> >> >Exception if the property was set to True and SQL Injection was
detected.
> >> >
> >> >
> >>
> >
>
> Bruce Armstrong [TeamSybase]
> http://www.teamsybase.com
>
> TeamSybase blogs:
> http://www.teamsybase.net/blogs
>
> Vote for PocketBuilder in the Mobile Village awards
> http://www.mobilevillage.com/awards.htm
>
> Two 3rd party books on developing with PowerBuilder
> http://www.pb9books.com?source=newsgroups
>
> Need code sample? Check out CodeXchange:
> http://www.codexchange.sybase.com
>
> Preach the gospel at all times. If necessary, use words. - Francis of
Assisi
> http://www.needhim.org
>
> ---------------------------------------------------------------------
> DISCLAIMER:
>
> This newsgroup message is only intended for the recipient. Given that it
> is a posting to a public newsgroup, that means if you can read this
> message then you are the recipient. This message may contain information
> that is confidential and protected from disclosure. And then again,
> it may not.
>
> Given that TeamSybase members are not employees of Sybase, the contents
> of this message do not necessarily represent the views or policies of
> Sybase. Given that TeamSybase is a diverse group of users of Sybase
> products, the contents of this message do not necessarily represent the
> views of a significant number of the members of TeamSybase. Given that
the
> author has multiple personalities and hears voices in his head, the
contents
> of this message do not necessarily represent his own views.


dfish Posted on 2004-08-20 03:55:23.0Z
From: dfish@_no_spam_sybase.com (Dave Fish [Team Sybase])
Newsgroups: sybase.public.datawindow.net
Subject: Re: Protection from SQL Injection in DW.NT
Organization: Sybase Professional Services
Reply-To: nospam_dfish@sybase.com_nospam
Message-ID: <412502e4.529521@forums.sybase.com>
References: <41229bc4$1@forums-1-dub> <41232105.553586@forums.sybase.com> <412393e4@forums-1-dub> <h0p7i0tsfaf5pk5d37qq7nc8f8n2o21b2i@4ax.com> <4124b4b1@forums-2-dub>
X-Newsreader: Forte Free Agent 1.21/32.243
NNTP-Posting-Host: vpn-dub-110.sybase.com
X-Original-NNTP-Posting-Host: vpn-dub-110.sybase.com
Date: 19 Aug 2004 20:55:23 -0700
X-Trace: forums-1-dub 1092974123 10.22.120.110 (19 Aug 2004 20:55:23 -0700)
X-Original-Trace: 19 Aug 2004 20:55:23 -0700, vpn-dub-110.sybase.com
Lines: 160
X-Authenticated-User: TeamSybase
Path: forums-1-dub!not-for-mail
Xref: forums-1-dub sybase.public.datawindow.net:172
Article PK: 124602

We will be now that I know about it. :-)

Thanks for the education gentlemen. This just shows that there is
always something new to learn.

Regards,
Dave Fish
Sybase

On 19 Aug 2004 07:04:08 -0700, "Pat Madigan"

<patm@_nospamforme_gscutah.com> wrote:

>That's huge. I hope that the marketing folks remember to mention that when
>they start advertising dw.net to the rest of the software development world.
>Normally, making database-aware web pages injection proof is kind of a pain,
>at least it is using ASP and .NET.
>
>Pat
>
>"Bruce Armstrong [TeamSybase]" <NOCANSPAM_bruce.armstrong@teamsybase.com>
>wrote in message news:h0p7i0tsfaf5pk5d37qq7nc8f8n2o21b2i@4ax.com...
>> I've tried it with both inserts and updates, with binding on and off.
>> If you enter "; delete * from employee;" for a column, the DataWindow
>> pretty much just stores that value in the database. Basically there's
>> not much you can't put into the datawindow columns that the datawindow
>> won't just handle as simple data.
>>
>> Basically the issue occurs whent the application receiving the data
>> doesn't handle embedded delimiters correctly:
>>
>>
>http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci996071,00.html
>>
>> The DataWindow is real good about handling them properly.
>>
>> On 18 Aug 2004 10:37:40 -0700, "Tim Cavanaugh"
>> <tim.cavanaugh@covance.com> wrote:
>>
>> >The following is an example of my understanding of what SQL Injection is.
>> >Suppose that your app has a Form containing a field for the "last_name"
>> >column. If the user enters the following value in the "last_name" field
>> > ; delete * from person;
>> >then the dynamically created "update statement" would delete all the rows
>in
>> >the "person" table; this assumes that the user correctly guessed that
>your
>> >app has a "person" table. The above also assumes that the database uses
>";"
>> >to separate multiple SQL statements.
>> >
>> >SQL Injection is the argument that many use to say that you should always
>> >use "stored procedures" to access a database for security reasons.
>> >
>> >In most client/server apps, SQL Injection is not usually a problem
>because
>> >you require a "login" and thus assume that the user is not malicious.
>But
>> >in Web Apps, you either don't require a "login" or it is easy to obtain a
>> >valid "Login ID"
>> >
>> >In my opinion, using "stored procedures" makes coding much more difficult
>> >and I would like to use the power of DW.NET to dynamically create the
>> >"insert", "update" and "delete" statements for me. I think that it would
>be
>> >nice to have a property associated with the DW(that when set to True)
>would
>> >require DW.NET to search for any SQL Injection and raise an Exception
>when
>> >it detects an attempt at SQL Injection.
>> >
>> >I know that the programmer could check the syntax of the "update
>statement"
>> >before allowing it to be executed, but that would require every
>programmer
>> >to be a SQL Injection expert in every database that they use. It makes
>more
>> >sense if it was done once by a SQL Injection expert within DW.NET.
>> >
>> >
>> >
>> >"Dave Fish [Team Sybase]" <dfish@_no_spam_sybase.com> wrote in message
>> >news:41232105.553586@forums.sybase.com...
>> >> Can you provide a more specific example of how this might work? I'm
>> >> having trouble visualizing it.
>> >>
>> >> As it works now, the code for the DataWindow is run on the server and
>> >> the only thing rendered in the browser is HTML and Javascript (for
>> >> client side formatting and validation as well as events.
>> >>
>> >> There is no database connectivity from the browser so I can't see how
>> >> something like this could occur.
>> >>
>> >> Regards,
>> >> Dave Fish
>> >> Sybase
>> >>
>> >> On 17 Aug 2004 16:59:00 -0700, "Tim Cavanaugh"
>> >> <tim.cavanaugh@covance.com> wrote:
>> >>
>> >> >I know from reading messages in this forum that the DW.NET will be
>> >expanded
>> >> >to handle Web Forms in about 6 months. Are there plans to protect
>> >against
>> >> >SQL Injection in DW.NET? By protection from SQL Injection, I mean
>> >> >preventing the user from entering data in a field on a Web Form that
>will
>> >> >terminate the Select statement that DW.NET is composing and follow it
>> >with
>> >> >an Insert, Delete or Update statement to sneek bad data into the
>> >database.
>> >> >It would be nice if the DW.NET had a settable property that would
>throw
>> >an
>> >> >Exception if the property was set to True and SQL Injection was
>detected.
>> >> >
>> >> >
>> >>
>> >
>>
>> Bruce Armstrong [TeamSybase]
>> http://www.teamsybase.com
>>
>> TeamSybase blogs:
>> http://www.teamsybase.net/blogs
>>
>> Vote for PocketBuilder in the Mobile Village awards
>> http://www.mobilevillage.com/awards.htm
>>
>> Two 3rd party books on developing with PowerBuilder
>> http://www.pb9books.com?source=newsgroups
>>
>> Need code sample? Check out CodeXchange:
>> http://www.codexchange.sybase.com
>>
>> Preach the gospel at all times. If necessary, use words. - Francis of
>Assisi
>> http://www.needhim.org
>>
>> ---------------------------------------------------------------------
>> DISCLAIMER:
>>
>> This newsgroup message is only intended for the recipient. Given that it
>> is a posting to a public newsgroup, that means if you can read this
>> message then you are the recipient. This message may contain information
>> that is confidential and protected from disclosure. And then again,
>> it may not.
>>
>> Given that TeamSybase members are not employees of Sybase, the contents
>> of this message do not necessarily represent the views or policies of
>> Sybase. Given that TeamSybase is a diverse group of users of Sybase
>> products, the contents of this message do not necessarily represent the
>> views of a significant number of the members of TeamSybase. Given that
>the
>> author has multiple personalities and hears voices in his head, the
>contents
>> of this message do not necessarily represent his own views.
>
>