i saw Name "id" for PRIMARY KEY in PostgreSQL Sample
does Fivewin use Name "id" as default also for "other" SQL
"id" for PRIMARY KEY ?
"id" for PRIMARY KEY ?
hi,
i saw Name "id" for PRIMARY KEY in PostgreSQL Sample
does Fivewin use Name "id" as default also for "other" SQL
i saw Name "id" for PRIMARY KEY in PostgreSQL Sample
does Fivewin use Name "id" as default also for "other" SQL
greeting,
Jimmy
Jimmy
-
Rick Lipkin
- Posts: 2668
- Joined: Fri Oct 07, 2005 1:50 pm
- Location: Columbia, South Carolina USA
Re: "id" for PRIMARY KEY ?
Jimmy .. you can use any value you want to name your Primary key ..When I create all my Sql Tables I use the name of the table +EID .. example I have a table names "User" .. so the primary key I would create would be "UserEID"
Totally you choice on how to name your primary key .. ps I do not use the "Auto" incremating feature .. I create my Primary key values myself .. Auto incremating Primary keys lend themselves to Sql Injection attacks ..
Rick
Totally you choice on how to name your primary key .. ps I do not use the "Auto" incremating feature .. I create my Primary key values myself .. Auto incremating Primary keys lend themselves to Sql Injection attacks ..
Rick
-
nageswaragunupudi
- Posts: 10721
- Joined: Sun Nov 19, 2006 5:22 am
- Location: India
- Been thanked: 8 times
- Contact:
Re: "id" for PRIMARY KEY ?
Yes, by default for autoincrement primary field.does Fivewin use Name "id" as default also for "other" SQL
Programmer can choose different field names.
FWH functions allow specifying the structure of a table using a structure like DBSTRUCT(). FWH creates the required SQL for creating the table using the structure internally and creates the table. Using FWH functions for creating tables has the benefit of portability across different RDBMSs
Regards
G. N. Rao.
Hyderabad, India
G. N. Rao.
Hyderabad, India
Re: "id" for PRIMARY KEY ?
hi,
ok, understand
@Rick
are your User Name UNIQUE
ok, understand
@Rick
are your User Name UNIQUE
did you have a Sample to show the ProblemAuto incremating Primary keys lend themselves to Sql Injection attacks
greeting,
Jimmy
Jimmy
-
Rick Lipkin
- Posts: 2668
- Joined: Fri Oct 07, 2005 1:50 pm
- Location: Columbia, South Carolina USA
Re: "id" for PRIMARY KEY ?
Jimmy
I create my own primary keys that way I control when a table is appended .. if you use auto increment an attacker could force an table append or "Inject" records into your tables and the database doesn't care .. the primary keys are generated automatically .. for me I create ALL my primary keys programmatically to is someone infiltrates my database security and tries to create ne records or "Inject" ( append ) records they will fail because there is no primary key and the injection fails ..
Just something to keep in mind .. .
I create my own primary keys that way I control when a table is appended .. if you use auto increment an attacker could force an table append or "Inject" records into your tables and the database doesn't care .. the primary keys are generated automatically .. for me I create ALL my primary keys programmatically to is someone infiltrates my database security and tries to create ne records or "Inject" ( append ) records they will fail because there is no primary key and the injection fails ..
Just something to keep in mind .. .
-
nageswaragunupudi
- Posts: 10721
- Joined: Sun Nov 19, 2006 5:22 am
- Location: India
- Been thanked: 8 times
- Contact:
Re: "id" for PRIMARY KEY ?
I am not fully convinced.Rick Lipkin wrote:Jimmy
I create my own primary keys that way I control when a table is appended .. if you use auto increment an attacker could force an table append or "Inject" records into your tables and the database doesn't care .. the primary keys are generated automatically .. for me I create ALL my primary keys programmatically to is someone infiltrates my database security and tries to create ne records or "Inject" ( append ) records they will fail because there is no primary key and the injection fails ..
Just something to keep in mind .. .
Can you please provide an example of a FWH program where a regular user can "inject" ?
Regards
G. N. Rao.
Hyderabad, India
G. N. Rao.
Hyderabad, India
-
Rick Lipkin
- Posts: 2668
- Joined: Fri Oct 07, 2005 1:50 pm
- Location: Columbia, South Carolina USA
Re: "id" for PRIMARY KEY ?
Rao
I am not talking about a regular user .. I am talking about a cyber attacker who wishes to gain control of your application and then try to insert or "Inject" malicious rows into your database .. If you have autoincrement set on your primary key .. there is nothing to stop a malicious attack to insert new rows into your SQL table. If I, on the other hand, have a routine on append to create programmatically to create a unique ID .. I don't have to worry about a hacker getting into my sql machine and trying to inject bogus rows because you can not append without a Primary key value ..
I am not talking about a regular user .. I am talking about a cyber attacker who wishes to gain control of your application and then try to insert or "Inject" malicious rows into your database .. If you have autoincrement set on your primary key .. there is nothing to stop a malicious attack to insert new rows into your SQL table. If I, on the other hand, have a routine on append to create programmatically to create a unique ID .. I don't have to worry about a hacker getting into my sql machine and trying to inject bogus rows because you can not append without a Primary key value ..
Code: Select all | Expand
//-------------------
Static Func _GenEid()
// generate a unique primary key
LOCAL nRAND,cRand
LOCAL oRs, cSQL, oERR
oRs:= TOleAuto():New( "ADODB.Recordset" )
oRs:CursorType := 1 // opendkeyset
oRs:CursorLocation := 3 // local cache
oRs:LockType := 3 // lockoportunistic
cSQL := "SELECT UserEid from UserInfo"
TRY
oRs:Open( cSQL,xCONNECT )
CATCH oErr
MsgInfo( "Error in Opening USERINFO table to Create Unique EID" )
RETURN("BOGUS")
END TRY
DO WHILE .T.
nRAND := nRANDOM(10000000000000000)
// 1 is reserved and 0 is a null key //
IF nRAND = 1 .or. nRAND = 0 .or. nRAND = NIL
LOOP
ENDIF
cRAND := STR(nRAND,17)
IF oRs:eof
ELSE
oRs:MoveFirst()
oRs:Find("UserEid = '"+cRAND+"'" )
ENDIF
IF oRs:eof
EXIT
ELSE
LOOP
ENDIF
EXIT
ENDDO
oRs:Close()
oRs := nil
RETURN( cRAND )
-
nageswaragunupudi
- Posts: 10721
- Joined: Sun Nov 19, 2006 5:22 am
- Location: India
- Been thanked: 8 times
- Contact:
Re: "id" for PRIMARY KEY ?
I am not asking how do generate unique primary key.
I am asking for an example of an FWH program, using which SQLI (sql injection) is possible.
I am asking for an example of an FWH program, using which SQLI (sql injection) is possible.
Regards
G. N. Rao.
Hyderabad, India
G. N. Rao.
Hyderabad, India
-
Rick Lipkin
- Posts: 2668
- Joined: Fri Oct 07, 2005 1:50 pm
- Location: Columbia, South Carolina USA
Re: "id" for PRIMARY KEY ?
Rao .. I do not have an answer .. My "primary key procedure" is more of a preventative measure to keep attackers (from using whatever means) to hack my tables and covertly insert rows .
Rick Lipkin
Rick Lipkin
-
nageswaragunupudi
- Posts: 10721
- Joined: Sun Nov 19, 2006 5:22 am
- Location: India
- Been thanked: 8 times
- Contact:
Re: "id" for PRIMARY KEY ?
It all depends on our program.
Not on autoinc keys
We will discuss about SQLI after a few days.
Not on autoinc keys
We will discuss about SQLI after a few days.
Regards
G. N. Rao.
Hyderabad, India
G. N. Rao.
Hyderabad, India