FiveTech Support Forums

FiveWin / Harbour / xBase community
Board indexAll discussionsLogin (GitHub)
Board index FiveWin for Harbour/xHarbour "id" for PRIMARY KEY ?
Jimmy
Posts: 1772
Joined: Thu Sep 05, 2019 05:32 AM
"id" for PRIMARY KEY ?
Posted: Sun Jul 23, 2023 10:46 AM
hi,

i saw Name "id" for PRIMARY KEY in PostgreSQL Sample

does Fivewin use Name "id" as default also for "other" SQL :?:
greeting,

Jimmy
Rick Lipkin
Posts: 2706
Joined: Fri Oct 07, 2005 01:50 PM
Re: "id" for PRIMARY KEY ?
Posted: Sun Jul 23, 2023 03:03 PM

Jimmy .. you can use any value you want to name your Primary key ..When I create all my Sql Tables I use the name of the table +EID .. example I have a table names "User" .. so the primary key I would create would be "UserEID"

Totally you choice on how to name your primary key .. ps I do not use the "Auto" incremating feature .. I create my Primary key values myself .. Auto incremating Primary keys lend themselves to Sql Injection attacks ..

Rick

nageswaragunupudi
Posts: 10733
Joined: Sun Nov 19, 2006 05:22 AM
Re: "id" for PRIMARY KEY ?
Posted: Sun Jul 23, 2023 11:23 PM
does Fivewin use Name "id" as default also for "other" SQL :?:
Yes, by default for autoincrement primary field.
Programmer can choose different field names.

FWH functions allow specifying the structure of a table using a structure like DBSTRUCT(). FWH creates the required SQL for creating the table using the structure internally and creates the table. Using FWH functions for creating tables has the benefit of portability across different RDBMSs
Regards



G. N. Rao.

Hyderabad, India
Jimmy
Posts: 1772
Joined: Thu Sep 05, 2019 05:32 AM
Re: "id" for PRIMARY KEY ?
Posted: Mon Jul 24, 2023 01:52 AM
hi,

ok, understand

@Rick
are your User Name UNIQUE :?:
Auto incremating Primary keys lend themselves to Sql Injection attacks
did you have a Sample to show the Problem :?:
greeting,

Jimmy
Rick Lipkin
Posts: 2706
Joined: Fri Oct 07, 2005 01:50 PM
Re: "id" for PRIMARY KEY ?
Posted: Tue Jul 25, 2023 01:48 PM

Jimmy

I create my own primary keys that way I control when a table is appended .. if you use auto increment an attacker could force an table append or "Inject" records into your tables and the database doesn't care .. the primary keys are generated automatically .. for me I create ALL my primary keys programmatically to is someone infiltrates my database security and tries to create ne records or "Inject" ( append ) records they will fail because there is no primary key and the injection fails ..

Just something to keep in mind .. .

nageswaragunupudi
Posts: 10733
Joined: Sun Nov 19, 2006 05:22 AM
Re: "id" for PRIMARY KEY ?
Posted: Tue Jul 25, 2023 02:10 PM
Rick Lipkin wrote:Jimmy

I create my own primary keys that way I control when a table is appended .. if you use auto increment an attacker could force an table append or "Inject" records into your tables and the database doesn't care .. the primary keys are generated automatically .. for me I create ALL my primary keys programmatically to is someone infiltrates my database security and tries to create ne records or "Inject" ( append ) records they will fail because there is no primary key and the injection fails ..

Just something to keep in mind .. .
I am not fully convinced.
Can you please provide an example of a FWH program where a regular user can "inject" ?
Regards



G. N. Rao.

Hyderabad, India
Rick Lipkin
Posts: 2706
Joined: Fri Oct 07, 2005 01:50 PM
Re: "id" for PRIMARY KEY ?
Posted: Tue Jul 25, 2023 06:46 PM
Rao

I am not talking about a regular user .. I am talking about a cyber attacker who wishes to gain control of your application and then try to insert or "Inject" malicious rows into your database .. If you have autoincrement set on your primary key .. there is nothing to stop a malicious attack to insert new rows into your SQL table. If I, on the other hand, have a routine on append to create programmatically to create a unique ID .. I don't have to worry about a hacker getting into my sql machine and trying to inject bogus rows because you can not append without a Primary key value ..
Code (fw): Select all Collapse
//-------------------
Static Func _GenEid()

// generate a unique primary key


LOCAL nRAND,cRand
LOCAL oRs, cSQL, oERR

oRs:= TOleAuto():New( "ADODB.Recordset" )
oRs:CursorType     := 1        // opendkeyset
oRs:CursorLocation := 3        // local cache
oRs:LockType       := 3        // lockoportunistic

cSQL := "SELECT UserEid from UserInfo"

TRY
   oRs:Open( cSQL,xCONNECT )
CATCH oErr
   MsgInfo( "Error in Opening USERINFO table to Create Unique EID" )
   RETURN("BOGUS")
END TRY

DO WHILE .T.

   nRAND := nRANDOM(10000000000000000)

   // 1 is reserved and 0 is a null key //

   IF nRAND = 1 .or. nRAND = 0 .or. nRAND = NIL
      LOOP
   ENDIF

   cRAND := STR(nRAND,17)

   IF oRs:eof
   ELSE
      oRs:MoveFirst()
      oRs:Find("UserEid = '"+cRAND+"'" )
   ENDIF

   IF oRs:eof
      EXIT
   ELSE
      LOOP
   ENDIF

   EXIT

ENDDO

oRs:Close()
oRs := nil

RETURN( cRAND )
nageswaragunupudi
Posts: 10733
Joined: Sun Nov 19, 2006 05:22 AM
Re: "id" for PRIMARY KEY ?
Posted: Wed Jul 26, 2023 04:24 AM

I am not asking how do generate unique primary key.

I am asking for an example of an FWH program, using which SQLI (sql injection) is possible.

Regards



G. N. Rao.

Hyderabad, India
Rick Lipkin
Posts: 2706
Joined: Fri Oct 07, 2005 01:50 PM
Re: "id" for PRIMARY KEY ?
Posted: Thu Jul 27, 2023 01:11 PM

Rao .. I do not have an answer .. My "primary key procedure" is more of a preventative measure to keep attackers (from using whatever means) to hack my tables and covertly insert rows .

Rick Lipkin

nageswaragunupudi
Posts: 10733
Joined: Sun Nov 19, 2006 05:22 AM
Re: "id" for PRIMARY KEY ?
Posted: Thu Jul 27, 2023 03:37 PM

It all depends on our program.

Not on autoinc keys

We will discuss about SQLI after a few days.

Regards



G. N. Rao.

Hyderabad, India

Continue the discussion

Static archive · New replies & topics via GitHub Discussions