3 Replies Latest reply on Apr 24, 2009 3:15 PM by TSGal

    Defending against SQL injection attacks

    preinheimer

      Title

      Defending against SQL injection attacks

      Post

       

      My apologies if this question has been answered to death, search didn't help me find anything.

       

       

       

      What characters do I need to escape when executing queries against FileMaker Pro via an ODBC connection? For many databases it's ", ', and NULL. but I can't seem to find an authoratative list on FilemakerPro.

        • 1. Re: Defending against SQL injection attacks
          TSGal

          preinheimer:

           

          Thank you for your post.

           

          If you are using FileMaker Pro and connected via ODBC to another application, then using either Escape (Windows) or Command-period (Mac OS X) should stop the search process.

           

          If you are connecting to FileMaker Pro from another application via ODBC, then whatever keystroke you normally use for that application to stop a process would be required.

           

          TSGal

          FileMaker, Inc. 

          • 2. Re: Defending against SQL injection attacks
            preinheimer
               Hi TSGal,

            Thank you for taking the time to reply, I fear I may have phrased my question poorly.

            Consider a situation where you are using ODBC to connect to filemaker and are executing queries using
            SQL, with values supplied by an untrusted source.

            SELECT * FROM users WHERE username = 'VALUE';

            Should a user give you something like "fred", all is well. If they instead
            gave you something like "fred' OR 'a' = 'a" you end up selecting a lot more 
            rows than you had intended.

            The solution in this case is generally to escape the ' character with a back slash "fred\' OR \'a\' = \'a"
            that way the query interpreter knows to ignore the meaning of the quote, and just continue on. 

            Different DBMSystems recognize different characters as being special (like the '). For some it's simply
            ",', NULL. For others \n, \r, and ascii character 27. 

            I'm hoping to find an authoritative list for FileMaker pro so I can adequately escape data being entered. 










            • 3. Re: Defending against SQL injection attacks
              TSGal

              preinheimer:

               

              Thanks for the clarification.

               

              Once you send the information to the ODBC driver, the driver then sends the information to the FileMaker file.

               

              FileMaker generally searches strings between double-quotes.  In FileMaker, if you have a double-quote within a string, you precede it with a backslash.

               

              Other than that, you would need to know more about the ODBC driver to escape data being entered.

               

              TSGal

              FileMaker, Inc.