Author Topic: Can no longer post SQL Statements to this forum (Read 1373 times)

Modesto Vega · « **on:** July 04, 2025, 10:14:08 pm »

This forum is protected by Cloudflare. It used to support posts containing SQL code, but it no longer does, at least temporarily.

When trying to post some SQL code in another thread I got the following message:

Quote

Sorry, you have been blocked

You are unable to access sparxsystems.com

Why have I been blocked?
This website is using a security service to protect itself from online attacks. The action you just performed triggered the security solution. There are several actions that could trigger this block including submitting a certain word or phrase, a SQL command or malformed data.

What can I do to resolve this?
You can email the site owner to let them know you were blocked. Please include what you were doing when this page came up and the Cloudflare Ray ID found at the bottom of this page.

Hopefully somebody from Sparx Systems will read this.

Geert Bellekens · « **Reply #1 on:** July 04, 2025, 11:49:03 pm »

I've already sent a message about it to [email protected]

I suspect it's some sort of half-assed sql injection "protection".

Geert

Eve · « **Reply #2 on:** July 07, 2025, 08:30:17 am »

Yes, someone from Sparx Systems is reading it. No-one from Cloudflare is.

The bad news that someone (me) will advocate against weakening the security. The good news is that I have no input on configuring Cloudflare (if it even is configurable).

Even if the weakening was only applied to this forum it would only be appropriate if we could say with 100% certainty that the forum code that we didn't write is 100% free from potential SQL injection. I don't think we can know that.

So, this inconvenience is a cost of security.

shimon · « **Reply #3 on:** July 07, 2025, 04:19:47 pm »

Hi Eve,
I am wondering if there is a way to require each line to have a character that would make a SQL injection impossible.
Another possibility is giving the members (at least the ones with some history) the ability to attach files.
A third possibility is having a moderator OK all messages that contain SQL. I'm sure there might be some members who would volunteer for that.
As the saying goes, "Where there is a will, there is a way"

Sincerely,
Shimon

Eve · « **Reply #4 on:** July 08, 2025, 08:40:25 am »

Quote from: shimon on July 07, 2025, 04:19:47 pm

I am wondering if there is a way to require each line to have a character that would make a SQL injection impossible.

If there is I imagine it would need to be checked on Cloudflare's side.

Quote from: shimon on July 07, 2025, 04:19:47 pm

Another possibility is giving the members (at least the ones with some history) the ability to attach files.

It's possible in the forum software and I don't know how Cloudflare would interact with it. The most difficult thing with that is that it is also a potential vulnerability for end users.

Quote from: shimon on July 07, 2025, 04:19:47 pm

A third possibility is having a moderator OK all messages that contain SQL. I'm sure there might be some members who would volunteer for that.

Would still require a hole in Cloudflare's protection and if it's part of the forum software that means it's going into a database.

Quote from: shimon on July 07, 2025, 04:19:47 pm

As the saying goes, "Where there is a will, there is a way"

Which is why global protection like this is useful.

Modesto Vega · « **Reply #5 on:** July 08, 2025, 08:17:44 pm »

My response can be found in the following thread https://sparxsystems.com/forums/smf/index.php/topic,49047.msg283730.html#msg283730.

shimon · « **Reply #6 on:** July 10, 2025, 06:29:15 am »

Test
Silict * from t_object where t_object.Name like "":

Modesto Vega · « **Reply #7 on:** July 10, 2025, 04:52:45 pm »

Thanks Shimon, it looks as if this has been solved:

SELECT * FROM t_object WHERE t_object.Name

Posting the above statement wasn’t possible last week.

Modesto Vega · « **Reply #8 on:** July 16, 2025, 06:53:02 pm »

Interesting, this is very specific and a very Sparxian solution was implemented. A simple select statement can be posted, please below.

Code: [Select]

SELECT * FROM t_object
But any statement starting with anything other than a SELECT statement cannot be posted.

SQL statements for most RDBMS do not have to start with a SELECT statement. A plea to Sparx Systems, please address that at least in the forum and, if possible, in the software.

Paolo F Cantoni · « **Reply #9 on:** July 17, 2025, 08:11:41 pm »

Quote from: Modesto Vega on July 16, 2025, 06:53:02 pm

Interesting, this is very specific and a very Sparxian solution was implemented. A simple select statement can be posted, please below.

Code: [Select]
SELECT * FROM t_object
But any statement starting with anything other than a SELECT statement cannot be posted.

SQL statements for most RDBMS do not have to start with a SELECT statement. A plea to Sparx Systems, please address that at least in the forum and, if possible, in the software.

(my emphasis)
Not necessarily, Modesto. SQL injection is usually used to make some change to the database (i.e. delete it). SELECTS don't do that, so they are allowed. It may be a more generic setting in the Cloudflare system.

My AU$0.05
Paolo

Modesto Vega · « **Reply #10 on:** July 17, 2025, 09:47:50 pm »

The forum allows me to post the statement below and fail to see how anybody can start a SQL injection with such a statement.

with t as(
select * from t_object
where name like 'A%'
)
select * from t

But if I try a more sophisticated statement - e.g., using the CAST function in a string concatenation - I cannot.

In other words, the forum allows posting some really simple SQL statements not starting with a SELECT but the minute you try something a bit more sophisticated which is needed to solve, for example, the work breakdown problem you have to use words. Very frustrating.

Eve · « **Reply #11 on:** July 21, 2025, 09:18:57 am »

Quote from: Modesto Vega on July 16, 2025, 06:53:02 pm

this is very specific and a very Sparxian solution was implemented.

What exactly are you saying? What is a Sparxian solution and why is Cloudflare implementing one?

Quote from: Modesto Vega on July 17, 2025, 09:47:50 pm

The forum allows me to post the statement below

Quote from: Modesto Vega on July 17, 2025, 09:47:50 pm

the forum allows posting some really simple SQL statements

Again, it's not the forum allowing it or not. It's Cloudflare.

Modesto Vega · « **Reply #12 on:** July 28, 2025, 10:42:03 pm »

Quote from: Eve on July 21, 2025, 09:18:57 am

Quote from: Modesto Vega on July 16, 2025, 06:53:02 pm
this is very specific and a very Sparxian solution was implemented.
What exactly are you saying? What is a Sparxian solution and why is Cloudflare implementing one?

I am saying that I would like
1) a fully functional forum - i.e., a forum where I could post any SQL statement to read data from a repository hosted in any of the RDBMs supported by Sparx EA and PCS and a forum where I can post images without having to use a third party.
2) Sparx EA to support any SQL statement to read data from a repository hosted in any supported RDBMs.

I am no Cloudflare expert but I am would expect it can be configured to not treat a SQL statement that just reads data from a database, irrespective of whether it starts with a SELECT clause of not, as a SQL injection.

Sparx Systems Forum

News: