From: Jean Louis <bugs@gnu.support>
To: help-gnu-emacs@gnu.org
Subject: Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way]
Date: Mon, 28 Jun 2021 09:56:31 +0300 [thread overview]
Message-ID: <YNlyn4zWugXHnaw/@protected.localdomain> (raw)
In-Reply-To: <87v9612l2n.fsf@zoho.eu>
* Emanuel Berg <moasenwood@zoho.eu> [2021-06-26 02:31]:
> > There is nothing special to SQL then to any other kind of
> > user's input. In fact, PostgreSQL and MySQL or MariaDB are
> > rather safe databases.
>
> I think that has turned into a schoolbook example because it
> has a cool name and everyone will understand it instantly.
> So it can serve the educational purpose to illuminate this in
> all of computing to not execute or use user input, without
> checking it out first. Indeed it would surprise me if you
> could just do it out-of-the-box for modern database management
> systems and expect it to be just wide open there for you to
> do it.
There is way to go and that is by providing parameters that are automatically escaped.
pq:query is a module function.
(pq:query CONN COMMAND &rest PARAMETERS)
Execute COMMAND on CONN with optional PARAMETERS.
Run an SQL command on a connection obtained by ‘pq:connectdb’.
If PARAMETERS are used, you can reference them in COMMAND using
$1, $2, ..., $12.
Return the list of rows returned by the last statement in COMMAND.
Rows are returned as atomic values if the statement yields a single
column, or a vector of values if it yields more than one column.
I am anyway SQL escaping all of the input values to database.
Since we talked I have moved to better workflow and now I am
first preparing one part of the SQL command without user's input
and then using the user's input as a parameter that prevents those problems.
I just guess it should be similar in MariaDB or MySQL. But I
don't use it due to lack of readline and command expansion.
> > On the other hand injecting simple malicious Emacs Lisp
> > anywhere in any file is as a possible option omni-present on
> > Internet, and we don't even speak about that.
>
> Well, it doesn't work like that, really.
It is about the same danger. Practically there was never danger
on my side as it is me who is using the database which is motly
the case with many database applications. Problem comes with a
large users base where malicious people may start doing something
to the company or public or unknown crackers or script
kiddies. It is better not to classify possible problematic
sources and just do it more safe.
> > Thousands of users are blindly accepting programs from MELPA
>
> Ha ha, thousands of users are doing that blindly! My, my.
> How many people are doing it with ONE EYE open, you think?
Well, without watching in the code. Click and install. There is
no real security involved and users don't watch what is being
installed, as Internet is large it is quite easy to create a game
and make backdoor in Emacs or do other malicious stuff. It is
also possible to make a module and do same. Until we know it, we
cannot know it.
> > Bounty is US $10 from my side if somebody succeeds to SQL
> > inject in my software a DROP of a table.
>
> But where are your tables?
Find it for the bounty.
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
next prev parent reply other threads:[~2021-06-28 6:56 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-21 1:40 Emacs Modular Configuration: the preferable way Hongyi Zhao
2021-06-21 2:56 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 6:40 ` Jean Louis
2021-06-21 16:31 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 19:55 ` Jean Louis
2021-06-22 0:06 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 10:14 ` Arthur Miller
2021-06-21 16:40 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 18:25 ` [External] : " Drew Adams
2021-06-26 0:17 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-26 0:31 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 18:38 ` Arthur Miller
2021-06-22 0:03 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-22 0:17 ` Jean Louis
2021-06-22 7:52 ` Arthur Miller
2021-06-26 6:58 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 11:29 ` Eli Zaretskii
2021-06-21 12:45 ` Philip Kaludercic
2021-06-21 12:55 ` Eli Zaretskii
2021-06-21 13:59 ` [External] : " Drew Adams
2021-06-21 16:51 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 18:08 ` Eli Zaretskii
2021-06-21 18:26 ` FW: " Drew Adams
2021-06-26 0:06 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 14:11 ` tomas
2021-06-21 16:47 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 18:06 ` Eli Zaretskii
2021-06-21 21:09 ` Jean Louis
2021-06-22 11:45 ` Eli Zaretskii
2021-06-22 12:29 ` Jean Louis
2021-06-22 13:07 ` Eli Zaretskii
2021-06-21 20:05 ` Stefan Monnier via Users list for the GNU Emacs text editor
2021-06-22 0:16 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 21:07 ` Jean Louis
2021-06-22 0:33 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-22 0:52 ` Printf and quoting in general, SQL injection in particular Jean Louis
2021-06-26 6:50 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-26 7:30 ` Yuri Khan
2021-06-26 7:57 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-26 9:37 ` tomas
2021-06-28 7:02 ` Jean Louis
2021-07-06 2:12 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-07-06 2:46 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 20:36 ` Emacs Modular Configuration: the preferable way Jean Louis
2021-06-21 21:15 ` Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way] tomas
2021-06-21 21:29 ` Jean Louis
2021-06-22 0:31 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-22 0:47 ` Jean Louis
2021-06-26 6:31 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-28 6:56 ` Jean Louis [this message]
2021-07-06 1:57 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-07-06 20:04 ` Jean Louis
2021-07-06 20:19 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-22 0:23 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-22 12:12 ` Eli Zaretskii
2021-06-22 12:37 ` Jean Louis
2021-06-22 13:10 ` Eli Zaretskii
2021-06-22 15:45 ` Jean Louis
2021-06-22 16:04 ` Eli Zaretskii
2021-06-22 18:01 ` Jean Louis
2021-06-22 18:25 ` Eli Zaretskii
2021-06-26 6:46 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-26 7:15 ` Eli Zaretskii
2021-06-28 7:04 ` Jean Louis
2021-07-06 2:05 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-07-06 20:09 ` Jean Louis
2021-07-06 20:23 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-07-07 0:00 ` Jean Louis
2021-06-28 6:59 ` Jean Louis
2021-07-06 2:02 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-07-06 20:06 ` Jean Louis
2021-07-06 20:20 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-26 6:41 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-26 6:39 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 16:42 ` Emacs Modular Configuration: the preferable way Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-22 12:50 ` Lars Ingebrigtsen
2021-06-26 8:05 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-21 20:02 ` Jean Louis
2021-06-22 0:11 ` Emanuel Berg via Users list for the GNU Emacs text editor
2021-06-22 0:19 ` Jean Louis
2021-06-21 6:37 ` Jean Louis
2021-06-21 7:00 ` Hongyi Zhao
2021-06-21 10:06 ` Arthur Miller
2021-06-21 10:26 ` Hongyi Zhao
2021-06-21 11:10 ` Arthur Miller
2021-06-23 2:17 ` Hongyi Zhao
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YNlyn4zWugXHnaw/@protected.localdomain \
--to=bugs@gnu.support \
--cc=help-gnu-emacs@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).