From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail
From: Emanuel Berg via Users list for the GNU Emacs text editor <help-gnu-emacs@gnu.org>
Newsgroups: gmane.emacs.help
Subject: Re: Printf and quoting in general,
 SQL injection in particular [was: Emacs Modular Configuration: the
 preferable way]
Date: Sat, 26 Jun 2021 08:31:44 +0200
Message-ID: <87v9612l2n.fsf@zoho.eu>
References: <CAGP6POK7bk9FEzXTe7PHafKT499e9g92CuNV2MLx_pn4z=fkdg@mail.gmail.com>
 <87pmwgdiyj.fsf@zoho.eu> <83y2b3tq07.fsf@gnu.org>
 <871r8vcrnm.fsf@posteo.net> <20210621141148.GA29347@tuxteam.de>
 <YND4SVCzYHZHqKjp@protected.localdomain>
 <20210621211547.GA12274@tuxteam.de>
 <YNEEuJ01Nl+jVzRT@protected.localdomain> <87lf72vixh.fsf@zoho.eu>
 <YNEzCA70UBq8hk0/@protected.localdomain>
Reply-To: Emanuel Berg <moasenwood@zoho.eu>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214";
	logging-data="2324"; mail-complaints-to="usenet@ciao.gmane.io"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)
To: help-gnu-emacs@gnu.org
Cancel-Lock: sha1:GgVDQC9cpYSYjvPNCZfDVU2iIyM=
Original-X-From: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org Sat Jun 26 08:32:18 2021
Return-path: <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>
Envelope-to: geh-help-gnu-emacs@m.gmane-mx.org
Original-Received: from lists.gnu.org ([209.51.188.17])
	by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1lx1rW-0000Ow-2h
	for geh-help-gnu-emacs@m.gmane-mx.org; Sat, 26 Jun 2021 08:32:18 +0200
Original-Received: from localhost ([::1]:41358 helo=lists1p.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.90_1)
	(envelope-from <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>)
	id 1lx1rV-0000wc-4r
	for geh-help-gnu-emacs@m.gmane-mx.org; Sat, 26 Jun 2021 02:32:17 -0400
Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:51544)
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <geh-help-gnu-emacs@m.gmane-mx.org>)
 id 1lx1r9-0000wF-Nc
 for help-gnu-emacs@gnu.org; Sat, 26 Jun 2021 02:31:55 -0400
Original-Received: from ciao.gmane.io ([116.202.254.214]:41046)
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <geh-help-gnu-emacs@m.gmane-mx.org>)
 id 1lx1r8-0004rf-2O
 for help-gnu-emacs@gnu.org; Sat, 26 Jun 2021 02:31:55 -0400
Original-Received: from list by ciao.gmane.io with local (Exim 4.92)
 (envelope-from <geh-help-gnu-emacs@m.gmane-mx.org>)
 id 1lx1r6-000AVP-2f
 for help-gnu-emacs@gnu.org; Sat, 26 Jun 2021 08:31:52 +0200
X-Injected-Via-Gmane: http://gmane.org/
Mail-Followup-To: help-gnu-emacs@gnu.org
Mail-Copies-To: never
Received-SPF: pass client-ip=116.202.254.214;
 envelope-from=geh-help-gnu-emacs@m.gmane-mx.org; helo=ciao.gmane.io
X-Spam_score_int: -15
X-Spam_score: -1.6
X-Spam_bar: -
X-Spam_report: (-1.6 / 5.0 requ) BAYES_00=-1.9,
 HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=no autolearn_force=no
X-Spam_action: no action
X-BeenThere: help-gnu-emacs@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Users list for the GNU Emacs text editor <help-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/help-gnu-emacs>
List-Post: <mailto:help-gnu-emacs@gnu.org>
List-Help: <mailto:help-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/help-gnu-emacs>,
 <mailto:help-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org
Original-Sender: "help-gnu-emacs"
 <help-gnu-emacs-bounces+geh-help-gnu-emacs=m.gmane-mx.org@gnu.org>
Xref: news.gmane.io gmane.emacs.help:131240
Archived-At: <http://permalink.gmane.org/gmane.emacs.help/131240>

Jean Louis wrote:

>>> I agree on that. But we cannot possibly expect all
>>> possible dangers to be known by all possible programmers
>>> at all times especially on this mailing list
>> 
>> OK, so the SQL injection is a common attack vector, but
>> what should we call this issue?
>
> It is probably lack of database administration skills. It is
> nothing related to Emacs really.

It doesn't? :)

> There is nothing special to SQL then to any other kind of
> user's input. In fact, PostgreSQL and MySQL or MariaDB are
> rather safe databases.

I think that has turned into a schoolbook example because it
has a cool name and everyone will understand it instantly.
So it can serve the educational purpose to illuminate this in
all of computing to not execute or use user input, without
checking it out first. Indeed it would surprise me if you
could just do it out-of-the-box for modern database management
systems and expect it to be just wide open there for you to
do it.

> On the other hand injecting simple malicious Emacs Lisp
> anywhere in any file is as a possible option omni-present on
> Internet, and we don't even speak about that.

Well, it doesn't work like that, really.

> Thousands of users are blindly accepting programs from MELPA

Ha ha, thousands of users are doing that blindly! My, my.
How many people are doing it with ONE EYE open, you think?

M-x how-many RET

> And then we worry about possible SQL injections in Emacs
> Lisp.

No we aren't...

> Bounty is US $10 from my side if somebody succeeds to SQL
> inject in my software a DROP of a table.

But where are your tables?

-- 
underground experts united
https://dataswamp.org/~incal