From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Emanuel Berg via Users list for the GNU Emacs text editor Newsgroups: gmane.emacs.help Subject: Re: Printf and quoting in general, SQL injection in particular Date: Sat, 26 Jun 2021 08:50:58 +0200 Message-ID: <87eecp2k6l.fsf@zoho.eu> References: <87pmwgdiyj.fsf@zoho.eu> <83y2b3tq07.fsf@gnu.org> <871r8vcrnm.fsf@posteo.net> <20210621141148.GA29347@tuxteam.de> <87zgvjcgh6.fsf@zoho.eu> <87h7hqviu4.fsf@zoho.eu> Reply-To: Emanuel Berg Mime-Version: 1.0 Content-Type: text/plain Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="33426"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) To: help-gnu-emacs@gnu.org Cancel-Lock: sha1:F90vJIGbqJgsiQTnGlXKP0QvPG0= Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Sat Jun 26 08:56:56 2021 Return-path: Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lx2FM-0008XB-HN for geh-help-gnu-emacs@m.gmane-mx.org; Sat, 26 Jun 2021 08:56:56 +0200 Original-Received: from localhost ([::1]:53778 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lx2FL-0004yO-Jz for geh-help-gnu-emacs@m.gmane-mx.org; Sat, 26 Jun 2021 02:56:55 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:53976) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lx2Dc-0003bB-ST for help-gnu-emacs@gnu.org; Sat, 26 Jun 2021 02:55:08 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]:34060) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lx2Db-0005VR-3U for help-gnu-emacs@gnu.org; Sat, 26 Jun 2021 02:55:08 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1lx2DV-0006Ie-OE for help-gnu-emacs@gnu.org; Sat, 26 Jun 2021 08:55:01 +0200 X-Injected-Via-Gmane: http://gmane.org/ Mail-Followup-To: help-gnu-emacs@gnu.org Mail-Copies-To: never Received-SPF: pass client-ip=116.202.254.214; envelope-from=geh-help-gnu-emacs@m.gmane-mx.org; helo=ciao.gmane.io X-Spam_score_int: -15 X-Spam_score: -1.6 X-Spam_bar: - X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: help-gnu-emacs@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Users list for the GNU Emacs text editor List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Original-Sender: "help-gnu-emacs" Xref: news.gmane.io gmane.emacs.help:131243 Archived-At: Jean Louis wrote: >>> I am thinking how can I make it safer for SQL queries. >> >> SQL injection isn't avoided by not assembling queries with >> string functions but by quoting user input. > > It is impossible in `emacs-libpq' package to avoid > formatting strings and passing it to database. > > What is possible is to minimize it so that users' input is > automatically quoted by the database by passing it as > parameters instead of passing data as parameters to `format' > [...] Relax, this notion that you shouldn't construct file paths by string functions, nor SQL queries for that matter, and what more? hyperlinks? or are you allowed to do that? These opinions are "arguably" correct at best - and that means some people will insist (argue) they are. And maybe that's what's happening right now? -- underground experts united https://dataswamp.org/~incal