Cadavre (1/28/2014)
Not sure where this post should go. . .I have a third party API that I pass data from my database to. The UI front end of my database allows the user to input string data, such as: -
+5';DROP/**/TABLE[t1];COMMIT;--
This is properly parametrised on my end so is inserted into my database without executing the "DROP TABLE" command. However, the third party API takes the data I pass to it and builds a SQL statement which means that it ends up executing the "DROP TABLE".
There is nothing I can do about the code in the third party API and they have insisted that this is a bug in my software and not theirs. I disagree, but arguing the case any further is futile. I was thinking about passing the string through to them as something like: -
stringVariable.Replace("'", "''")
I know that parametrising the query would be better, but can anyone see an obvious way to circumvent this "protection" ?
This is why high velocity pork chops were created. 😉 If you're absolutely 100% psitive that it's there code and that you could make a trial jury understand it, then exercise your rights as a consumer. Tell them that if they don't fix it, then you're going to publish your findings on the internet to protect other people from their crap code and that you're going to drop them like a hot potato in the meantime. If your company doesn't want to get involved, make sure that anything that you publish has the disclaimer that you're publishing the fault as an independent agent not associated with any company.
If that's too high profile for you (and I wouldn't blame you if you felt that way), then tell them that you're just going to recommend to all your friends and contacts that they never have anything to do with them.
These 3rd party companies need to start taking responsibility for their crap code.
--Jeff Moden
Change is inevitable... Change for the better is not.