From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: Jakub Jankiewicz Newsgroups: gmane.lisp.guile.user Subject: Prevent SQL Injection in DBI Date: Sun, 26 Mar 2017 18:54:27 +0200 Message-ID: <20170326185427.32f0f832@jcubic> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Trace: blaine.gmane.org 1490547307 10197 195.159.176.226 (26 Mar 2017 16:55:07 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sun, 26 Mar 2017 16:55:07 +0000 (UTC) To: guile-user@gnu.org Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Sun Mar 26 18:54:59 2017 Return-path: Envelope-to: guile-user@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1csBRT-0001cd-85 for guile-user@m.gmane.org; Sun, 26 Mar 2017 18:54:59 +0200 Original-Received: from localhost ([::1]:41657 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1csBRW-0006sf-47 for guile-user@m.gmane.org; Sun, 26 Mar 2017 12:55:02 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:53085) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1csBR7-0006sO-Q9 for guile-user@gnu.org; Sun, 26 Mar 2017 12:54:38 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1csBR4-0007mo-Je for guile-user@gnu.org; Sun, 26 Mar 2017 12:54:37 -0400 Original-Received: from n114.domenomania.pl ([148.251.152.171]:37779) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1csBR4-0007ln-CE for guile-user@gnu.org; Sun, 26 Mar 2017 12:54:34 -0400 Original-Received: from [91.239.249.61] (port=46682 helo=jcubic) by n114.domenomania.pl with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.88) (envelope-from ) id 1csBTs-004CF6-9t for guile-user@gnu.org; Sun, 26 Mar 2017 18:57:28 +0200 X-Mailer: Claws Mail 3.14.0 (GTK+ 2.24.30; i686-pc-linux-gnu) X-Relay-Host: 91.239.249.61 X-Authenticated-Id: jcubic X-detected-operating-system: by eggs.gnu.org: GNU/Linux 3.x [fuzzy] X-Received-From: 148.251.152.171 X-BeenThere: guile-user@gnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: General Guile related discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org Original-Sender: "guile-user" Xref: news.gmane.org gmane.lisp.guile.user:13581 Archived-At: Hi all, I want to use guile-dbi with unsafe user input. I have code like this: (dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '" username "'")) How can I escape username given from user to prevent sql injection? I could validate username to only contain letters using [a-zA-Z] regex but what about other languages that have non Latin letters and names like O'Conor? This will also don't work for password that may have special characters. -- Jakub Jankiewicz, Web Developer http://jcubic.pl