Board index » delphi » Limiting CommandText use

Limiting CommandText use


2006-01-18 04:16:46 AM
delphi192
The use of CommandText in the ClientDataSet of a multitier systems
provides a simple way of passing parameters, but a golden way for
fraudsters to hack into the system.
xxx.CommandText := 'Select CreditCardNo from Creditcards'
How is this prevented?
Geoff Marshall
 
 

Re:Limiting CommandText use

Leo,
If you set [poAllowCommandText] false how do you pass the parameter?
Geoff
 

Re:Limiting CommandText use

Bill,
Agreed that would work, but this is a ?000 project!
I think I have a solution and will let you know.
Geoff Marshall
 

Re:Limiting CommandText use

"Geoff Marshall" <XXXX@XXXXX.COM>skrev i melding
Quote
The use of CommandText in the ClientDataSet of a multitier systems
provides a simple way of passing parameters, but a golden way for
fraudsters to hack into the system.

xxx.CommandText := 'Select CreditCardNo from Creditcards'

How is this prevented?
Include/exclude [poAllowCommandText] in the Options property of the
datasetprovider that the clientdataset is connected to.
hth.
regards,
Leo
 

Re:Limiting CommandText use

Geoff Marshall writes:
Quote
The use of CommandText in the ClientDataSet of a multitier systems
provides a simple way of passing parameters, but a golden way for
fraudsters to hack into the system.

xxx.CommandText := 'Select CreditCardNo from Creditcards'

How is this prevented?

Geoff Marshall
Use a VPN or some other form of over-the-wire encryption.
--
Bill Todd (TeamB)
 

Re:Limiting CommandText use

Geoff Marshall writes:
Quote
Leo,

If you set [poAllowCommandText] false how do you pass the parameter?

Geoff
Use the params of the dataset if the SQL is static and the params just
change. If you need to generate an SQL statement on the fly use one of
the providers events with OwnerData or DataRequest to send the params
and build the statement.
--------------
Joe Bain
www.iegsoftware.com