Re: Printf and quoting in general, SQL injection in particular

[Emanuel Berg via Users list for the GNU Emacs text editor <help-gnu-emacs@gnu.org>]

Yuri Khan wrote:

>> Relax, this notion that you shouldn't construct file paths
>> by string functions, nor SQL queries for that matter, and
>> what more? hyperlinks?
>
> Hyperlinks, too.
>
> One of the requirements of URLs is that all non-ascii and
> some ascii characters be %-encoded when used in the path or
> query string, or punycode-encoded when used in the host
> name:
>
>     (let ((base "http://ru.wikipedia.org/wiki/")
>           (term "Гиперссылка")
>           (joined (concat base term)))
>       (assert (string= joined
> "https://ru.wikipedia.org/wiki/%D0%93%D0%B8%D0%BF%D0%B5%D1%80%D1%81%D1%81%D1%8B%D0%BB%D0%BA%D0%B0")))
>  ;; alas, no
>
> Another rule is that resolving a relative reference
> containing a path against a base URL will drop the last
> segment of the base:
>
>     (let ((base "http://example.org/foo")
>           (href "bar")
>           (resolved (concat base href)))
>       (assert (string= resolved "http://example.org/bar")))  ;; also no
>
> String concat does not know any of these rules.
>
> It is okay to represent file names, SQL queries, and URLs as
> strings *internally*. It is okay to use string functions to
> implement high-level domain-specific functions. In many
> cases, interoperating with external code will also require
> these things represented as strings. But it is a good idea
> to use domain-specific functions to manipulate file names,
> queries, and URLs, rather than string functions, because
> this way you are less likely to violate those
> types’ invariants.

Interesting, what about typing? Not as error prone, because
you see the result?

So it is like a three stage hierarchy or procedure rather,

  1. typing (just type, you see it anyway)
  2. manipulate (domain-specific functions)
  3. use

(For hyperlinks, step 1 could be done with a lot of functions
(protocol (domain (path (page (page-type ...) ? That'd just be
grotesque. I don't know if that'd be more safe, really?)

But OK, so instead of "anything goes, then verify input at
step 3" - which is where it matters BTW - the approach is
_type carefully_, then just exclusively use domain-specific
manipulators. So all you have to care about is the typing
part, because after that, it won't get messed up!

I see the point, but - to be honest, string manipulation at
this very basic level - and typing - I don't know, I feel kind
of comfortable doing BOTH by now :) But never say never...

I still don't understand what to replace my stuff with tho,

(let*((emacs-dir "~/.emacs.d")
      (lisp-dir  (format "%s/lisp"       emacs-dir))
      (init-dir  (format "%s/emacs-init" emacs-dir))
      (erc-dir   (format "%s/erc"        init-dir))
      (gnus-dir  (format "%s/gnus"       init-dir))
      (ide-dir   (format "%s/ide"        init-dir))
      (w3m-dir   (format "%s/w3m"        init-dir))
      (dirs     (list
                 lisp-dir
                 init-dir
                 erc-dir
                 gnus-dir
                 ide-dir
                 w3m-dir
                 ))) ...

-- 
underground experts united
https://dataswamp.org/~incal