Condividi tramite


Security Risks for Visual FoxPro Developers

It is important to understand security issues when developing and deploying applications. For general information about developing secure applications, see the Microsoft Web site at https://msdn.microsoft.com/security.

Developers need to be aware of the following specific security issues and best practices when developing Visual FoxPro applications:

  • Validate parameter input values before evaluating them.

    When passing user input values for parameters to commands such as SQL statements, you should include code to check that those values do not contain harmful expressions, such as those that can cause access violations.

    Avoid using simple text boxes for parameter input when possible and choose user interface elements you can more easily control, such as a list boxes, grids as list boxes, or OptionGroup controls. If you must rely on typed user input as parameter input, for example, to execute commands, you should always parse the input for parentheses (()) characters. This ensures that users do not enter input that might be interpreted by Visual FoxPro as an expression. You should also check input for the ampersand (&), which is used as a macro substitution character.

    Caution   Use extreme caution when accepting typed user input as parameters and passing it to the following language elements: RUN or ! command, EVALUATE( ) function, EXECSCRIPT( ) function, _VFP.DoCmd method, _VFP.Eval method, and the ampersand (&) character. This practice is recommended only for advanced developers who use strong parameter validation routines for parsing values that might cause harm to the application, the user's computer, or network.

  • Provide less flexibility to users when providing values for SQL SELECT statements.

    When using COM server or SQL Server methods that accept user input values from a SQL SELECT statement, write code that avoids giving the user access to information that should be secured, such as the computer name, or to perform undesirable actions, such as allowing the user to copy over tables and databases.

  • Set database container (DBC) file system attributes to read-only access.

    If a DBC is set to read/write access, users can modify code for DBC Events, such as the DBC_BeforeOpenTables event, to include damaging code, for example, to format a user's hard drive when opening a table in the DBC.

    If the DBC needs to be modified as part of maintenance, a network administrator can temporarily set the DBC with read/write access and then reset it to read-only access when maintenance is finished.

  • Prevent users from viewing source code in your application by encrypting your application and remove debugging information.

    To protect source code and remove debugging information, open your application project in the Project Manager. To encrypt your application project and not include debugging information, select the Encrypted check box and clear the Debug info check box in the Project Information dialog box. You should then select the Recompile All Files check box in the Build Options dialog box and rebuild your project by clicking Build in the Project Manager window. In the setup section of your application, include the SET DEBUG command.

    The _cryptapi class located in the ...\Ffc\_Crypt.vcx foundation class library provides access to the Windows Crypto API routines so you can encrypt strings, data, or files in your Visual FoxPro Applications.

    For more information, see Project Information Dialog Box, Project Manager Window, Build Options Dialog Box, and SET DEBUG Command.

  • It is recommended that you develop applications that use least privilege user settings. It is not necessary for the user to log in as a power user or administrator.

  • Avoid writing to the registry keys, HKEY_LOCAL_MACHINE and HKEY_CLASSES_ROOT. Instead, write only to the HKEY_CURRENT_USER hive.

  • Do not create or update files in the C:\Program Files (%PROGRAMFILES%) or C:\Windows (%SYSDIR%) directories. Instead, you should write user data to the user application folder. You can use the _commonfolder class located in the ...\Ffc\_System.vcx foundation class library to obtain the location of the user application folder.

  • When creating COM Servers in Visual FoxPro, it is recommended that you create COM+ applications to deploy them so you can enforce COM+ role-based security.

See Also

Security Planning | Security Considerations | Developing Visual FoxPro Applications