The fastest easiest way to get it right.

Manual SQL Precautions

Andromeda has a few simple functions that can eliminate hand-coding of SQL in most situations. However, it is often simpler and easier to just type in a few manual SQL commands -- especially when doing SELECTS.

In the modern world we must take precautions against a variety of threats when coding SQL, though most of them come down to preventing SQL Injection.

Andromeda is (Mostly) Immune to SQL Injection

Andromeda is structurally immune to the most common types of SQL Injection and Andromeda is immune to the worst consequences of SQL Injection. If a public surfer manages to slip a ";delete from customers" snippet past both your application and the framework code, nothing will happen if that user is not allowed to delete from the customers table. And if they are allowed to delete from the customers table (not likely for a public user, but possible for an admin) then they have gone to some work to do by stealth what they are perfectly welcome to do through the admin screens anyway.

So we say that Andromeda is structurally immune to SQL Injection because:

  • Just because a hacker might get an injection past our code, does not mean the database server will allow it.
  • Any injection that does get past will only be doing what the user is allowed to do anyway.

Formatting Variables

There is never any reason to be cavalier when programming, especially where security is concerned. Even if the Andromeda authors claim the framework is immune, it pays to be paranoid.

When coding a SQL command from variables that come from the browser, the variables should always be escaped. Andromeda provides three simple functions for this:

class x6example extends androX6 {
    function x6main() {
        # The SQLFD() formats a value as a date, suitable
        # for interpolation into a SQL command
        $date = SQLFD(gp('date'));

        # The SQLFC() and SQLFN() functions respectively
        # format values as characters and numbers, all
        # properly escaped and quoted and ready for
        # PHP string interpolation
        $name = SQLFC(gp('name'));
        $age  = SQLFN(gp('age'));
        # With our escaped variables, we are ready
        # to safely make up a SQL string
        $sql = "SELECT * 
                  FROM example
                 WHERE name = $name
                   AND date >= $date
                   AND age >= $age";
comments powered by Disqus
Home |  Documentation |  Download |  Credits |  Contact |  Login
Andromeda © Copyright 2004-2013, Licensed under the GPL Version 2