Limitation of SQL Execution

[fowlplay4]

Quote:

Originally Posted by Gambet

Couldn't you use callstack protection? You can't restrict the commands themselves but you can restrict whatever system you're using to write and access the information and make it so only that system can make alterations.

I think he's referring to someone just doing in a level or script somewhere.

PHP Code:

function onCreated() {
  temp.statement = "DELETE * FROM Important_Table";
  requestsql(statement, false);
} 


But if they know how to do that then they're probably knowledgeable enough to use the restricted scripts anyway.

Best course of action, don't let people you don't trust have access to the scripts and levels, and filter through them if you have to. Besides there are so many better things they could do maliciously.

[Gambet]

Quote:

Originally Posted by fowlplay4

I think he's referring to someone just doing in a level or script somewhere.

PHP Code:

function onCreated() {
  temp.statement = "DELETE * FROM Important_Table";
  requestsql(statement, false);
} 


But if they know how to do that then they're probably knowledgeable enough to use the restricted scripts anyway.

Best course of action, don't let people you don't trust have access to the scripts and levels, and filter through them if you have to. Besides there are so many better things they could do maliciously.

I suppose you could still incorporate callstack, though, by storing a backup of the data and making it so if the system that is supposed to access the database isn't the one updating the database then whatever changes made to the data is automatically reverted back to the backup.