1. sql injection
- Posted by Shawn Pringle Jul 13, 2008
- 729 views
There was a way perl implementers of the db libraries avoided sql injection attacks. You would pass the values you were sending outside of the string:
So the statement woudl be passed as: insert into tablefoo values (?,?,?,?) and then for each actual execution you would send the four values as part of an argument list.
I don't know if the .e libraries allow you to do the same thing but they ought to.
Shawn
2. Re: sql injection
- Posted by Jeremy Cowgar Jul 13, 2008
- 720 views
There was a way perl implementers of the db libraries avoided sql injection attacks. You would pass the values you were sending outside of the string:
So the statement woudl be passed as: insert into tablefoo values (?,?,?,?) and then for each actual execution you would send the four values as part of an argument list.
I don't know if the .e libraries allow you to do the same thing but they ought to.
That's really a job for the database library you are using because different database servers escape characters differently. Some may use '' to escape a single quote, others will use \'. Now, the way I did it in my unfinished DBI library was to allow you to do things such as:
dt:datetime now = dt:now() sequence name = "John Mc'Doe" atom salary = 100500.52 integer age = 11 sequence comparator = ">" db:execute(dbh, "UPDATE people SET updated_at=%D, name=%s, salary=%.2f, age=%d WHERE id %S 100", {now, name, salary, age, comparator})
The escape codes keep with sprintf as much as possible. The %D converts a datetime.e datetime type into a SQL valid date time string, the %s escapes and quotes the content, the %f, %d work the same as printf, %S is a non-escaped, non-quoted string.
Jeremy
3. Re: sql injection
- Posted by Jeremy Cowgar Jul 13, 2008
- 718 views
There was a way perl implementers of the db libraries avoided sql injection attacks. You would pass the values you were sending outside of the string:
So the statement woudl be passed as: insert into tablefoo values (?,?,?,?) and then for each actual execution you would send the four values as part of an argument list.
I don't know if the .e libraries allow you to do the same thing but they ought to.
Oh, I wanted to mention also that there are other injection methods. Two others are XSS injection (injecting JavaScript code into HTML) and possibly the most dangerous shell injection. Prevention of shell injection will be added to os.e, as that's where system commands are executed. Prevention of XSS type injections should be done by the web framework you are using.
Jeremy
4. Re: sql injection
- Posted by Matt Lewis Jul 13, 2008
- 717 views
That's really a job for the database library you are using because different database servers escape characters differently. Some may use '' to escape a single quote, others will use \'. Now, the way I did it in my unfinished DBI library was to allow you to do things such as:
If I read this correctly, you're taking an escape approach, rather than using parameters? What about prepared statements?
Matt
5. Re: sql injection
- Posted by Jeremy Cowgar Jul 13, 2008
- 721 views
If I read this correctly, you're taking an escape approach, rather than using parameters? What about prepared statements?
Prepared statements are not supported yet 
It may very well change the design overall. One difficulty with prepared statements and a DBI is how each database may do it slightly different and some databases do not do it at all 
... Some use ?, others use %1, %2, %3. I am not yet sure how to go about handling it. I am open to suggestions.
Jeremy
6. injection
- Posted by Shawn Pringle Jul 13, 2008
- 724 views
system( ... , int )
Instead of passing a string with system() a better function should take what would be formated like the return value of command_line().
shell_execute( { "/bin/rm", file_name } ) illistrative use only
There are all kinds of problems using system( "rm file_name", 0 ). Imagine if the user installs the program under Program Files and this call is for deleting for an uninstall. The system answers as it cannot find the file c:\Programs.
Shawn
7. Re: injection
- Posted by Jeremy Cowgar Jul 13, 2008
- 692 views
shell_execute( { "/bin/rm", file_name } ) illistrative use only
Shawn, an escape.e is floating around out there that has a escape_shellarg() which I was going to add to the standard library for handling shell injection. I will still do that because I am sure people will want to use it, but I really like your idea. That would indeed be a nice function. I'll add it to os.e
Jeremy
8. Re: sql injection
- Posted by Matt Lewis Jul 13, 2008
- 715 views
Yeah, that's exactly what I was thinking. In addition to that, they all handle lots of stuff slightly differently. It's really hard to get good, cross-DB code. If I wanted that portability, I'd probably just use ODBC.
9. Re: injection
- Posted by CChris Jul 13, 2008
- 714 views
system( ... , int )
Instead of passing a string with system() a better function should take what would be formated like the return value of command_line().
shell_execute( { "/bin/rm", file_name } ) illistrative use only
There are all kinds of problems using system( "rm file_name", 0 ). Imagine if the user installs the program under Program Files and this call is for deleting for an uninstall. The system answers as it cannot find the file c:\Programs.
Shawn
system( "rm \"file_name\"", 0 )
Not good? CChris
btw I have cookies enabled, but still asked for my name.
10. Re: injection
- Posted by Jim C. Brown Jul 13, 2008
- 716 views
system( ... , int )
Instead of passing a string with system() a better function should take what would be formated like the return value of command_line().
shell_execute( { "/bin/rm", file_name } ) illistrative use only
There are all kinds of problems using system( "rm file_name", 0 ). Imagine if the user installs the program under Program Files and this call is for deleting for an uninstall. The system answers as it cannot find the file c:\Programs.
Shawn
system( "rm \"file_name\"", 0 )
Not good? CChris
btw I have cookies enabled, but still asked for my name.
No idea about DOS. On Unix we can do the shell_execute via execv(), and avoid the need to quote altogether. (Presumbly shell_execute() wouldn't allow you to use > or < for redirection or | for piping anyways.) However afaik the w32api doesn't have a way to specify arguments as an array of strings so this can't be done on Windows.
Jeremy had an idea to implement shell_execute() cross-platform by simply escaping each argument individually and passing a combined string to system(). This seems to be the best compromise and the simplest approach.
11. Re: injection
- Posted by Matt Lewis Jul 13, 2008
- 720 views
system( "rm \"file_name\"", 0 )
Not good?
Nope. For instance:
file_name = "\"; rm -rf \"~/*"
Matt
PS Some birds do swim.
12. Re: injection
- Posted by Jim C. Brown Jul 13, 2008
- 723 views
system( "rm \"file_name\"", 0 )
Not good?
Nope. For instance:
file_name = "\"; rm -rf \"~/*"
Matt
shell argument escaping would take care of this.
PS Some birds do swim.
Which is why its a perfect choice of question! The ambiguity guarrantees only a human brain will be able to solve it!
At least until thoes T-500s start ramping up production...
13. Re: injection
- Posted by Gary Shingles Jul 13, 2008
- 719 views
PS Some birds do swim.
There's a flying fish too... but yes, the questions are good because you can work out what is meant rather than what the answer should be from the question.
Like any captcha though, you should be able to reload the question if you really don't get it (non-native English speaker maybe).
Gary
