Date:  01/25/2012 09:00:53 PM Msg ID:  004414
From:  FoxWeb Support Thread:  004404
Subject:  Re: HTML form hack
SQL Injection attacks involve the use of raw user input to construct SQL commands. In the case of a successful attack, the user input contains characters that alter the SQL command in a way that benefits the attacker. For details, please refer to
In the case of VFP (at least when working with native VFP data, rather than data on a client-server database), data access code is not normally stored in strings before execution, so you are not vulnerable. The possible exception I mentioned is related to situations where the command is actually created as a string and then executed as a macro:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
In this example I can't think of a userName value that could pose a security thread, but if you are constructing INSERT, UPDATE or other statements, it may be possible.
FoxWeb Support Team email
Sent by Joe Goldsmiith on 01/25/2012 08:07:56 PM:
WOW! Thanks for the insight. Might I impose upon you for an example of using an SQL command to gather user input and an example of macro substitution to gather such information please?I thought I was following an example found in the installation folder from years ago.
Sent by FoxWeb Support on 01/25/2012 12:49:09 PM:
The error 501 you mention is probably returned by the SMTP server. SMTP error 501 means "Syntax error in parameters or arguments" and is often a result of invalid recipient email addresses. Could it be that your users are entering an invalid email address in the form?
By the way, unless you are incorporating user input into SQL command strings and then running these command strings via macro substitution, you would not suffer from SQL injection attacks while using FoxWeb (or any other VFP-based framework). 
FoxWeb Support Team email
Sent by Joe Goldsmiith on 01/18/2012 08:51:43 PM:
Recently I have been checking my website's ASPEmail email log and have been finding errors where someone is trying to input/inject strange code into input boxes. I suppose this is an attempt at SQL injection. When the form is processed the flow takes it to ASPEmail to send email. My email server on another server sends back and ERROR 501 so it seems I am stopping that attempt. Would anyone know a technique to ensure my HTML forms catch these attempts before processing?
I have an HTML input forum using such as for example:
 <FORM NAME=myform METHOD="post" ACTION="myform.fwx">
 <TABLE WIDTH="600" cellpading="0" cellspacing="0" align="center">
             <INPUT TYPE=text NAME="FIRST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RFIRST)%>">
             <INPUT TYPE=text NAME="LAST" SIZE="15" MAXLENGTH="15" VALUE="<%=(M.RLAST)%>"><br>
             <INPUT TYPE=text NAME="EMAIL" SIZE="50" MAXLENGTH="50" VALUE="<%=(M.EMAIL)%>">
             <INPUT type="submit" VALUE="SUBMIT" NAME="btnchoice" VALUE="Submit">
When submitted the form recalls the page stopping at Request.FormCount("btnchoice") > 0 when it it processed. During processing I first check to see if there is an empty string and set an error variable to show an alert. If everything is good I store the input into a database using INSERT INTO. The flow then goes to ASPMail to send an email to the visitor and me.
Any thoughts from the forum?