* Prevent SQL Injection in DBI
@ 2017-03-26 16:54 Jakub Jankiewicz
2017-03-27 18:24 ` Christopher Allan Webber
0 siblings, 1 reply; 3+ messages in thread
From: Jakub Jankiewicz @ 2017-03-26 16:54 UTC (permalink / raw)
To: guile-user
Hi all,
I want to use guile-dbi with unsafe user input. I have code like this:
(dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '"
username
"'"))
How can I escape username given from user to prevent sql injection?
I could validate username to only contain letters using [a-zA-Z] regex but
what about other languages that have non Latin letters and names like O'Conor?
This will also don't work for password that may have special characters.
--
Jakub Jankiewicz, Web Developer
http://jcubic.pl
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Prevent SQL Injection in DBI
2017-03-26 16:54 Prevent SQL Injection in DBI Jakub Jankiewicz
@ 2017-03-27 18:24 ` Christopher Allan Webber
2017-07-10 22:13 ` Linas Vepstas
0 siblings, 1 reply; 3+ messages in thread
From: Christopher Allan Webber @ 2017-03-27 18:24 UTC (permalink / raw)
To: Jakub Jankiewicz; +Cc: guile-user
Jakub Jankiewicz writes:
> Hi all,
>
> I want to use guile-dbi with unsafe user input. I have code like this:
>
> (dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '"
> username
> "'"))
>
> How can I escape username given from user to prevent sql injection?
>
> I could validate username to only contain letters using [a-zA-Z] regex but
> what about other languages that have non Latin letters and names like O'Conor?
> This will also don't work for password that may have special characters.
guile-squee is pretty immature but I do think it does this one bit
correctly... parameters to the procedure shouldn't be substituted in the
string, they should be provided as additional arguments, like
(exec-query db-obj "SELECT * FROM users WHERE username=$1"
'("alice"))
I seem to remember trying to find out if this was possible to do in
dbi-query, and not succeeding at finding such a route? (guile-dbi,
unlike guile-squee, has some maturity though...)
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Prevent SQL Injection in DBI
2017-03-27 18:24 ` Christopher Allan Webber
@ 2017-07-10 22:13 ` Linas Vepstas
0 siblings, 0 replies; 3+ messages in thread
From: Linas Vepstas @ 2017-07-10 22:13 UTC (permalink / raw)
To: Christopher Allan Webber; +Cc: Jakub Jankiewicz, Guile User
I don't think guile-dbi does this safety check. You are welcome to add it.
Since gna.org is dead, I moved everything over to
https://github.com/opencog/guile-dbi
--linas
On Mon, Mar 27, 2017 at 1:24 PM, Christopher Allan Webber <
cwebber@dustycloud.org> wrote:
> Jakub Jankiewicz writes:
>
> > Hi all,
> >
> > I want to use guile-dbi with unsafe user input. I have code like this:
> >
> > (dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '"
> > username
> > "'"))
> >
> > How can I escape username given from user to prevent sql injection?
> >
> > I could validate username to only contain letters using [a-zA-Z] regex
> but
> > what about other languages that have non Latin letters and names like
> O'Conor?
> > This will also don't work for password that may have special characters.
>
> guile-squee is pretty immature but I do think it does this one bit
> correctly... parameters to the procedure shouldn't be substituted in the
> string, they should be provided as additional arguments, like
>
> (exec-query db-obj "SELECT * FROM users WHERE username=$1"
> '("alice"))
>
> I seem to remember trying to find out if this was possible to do in
> dbi-query, and not succeeding at finding such a route? (guile-dbi,
> unlike guile-squee, has some maturity though...)
>
>
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2017-07-10 22:13 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-03-26 16:54 Prevent SQL Injection in DBI Jakub Jankiewicz
2017-03-27 18:24 ` Christopher Allan Webber
2017-07-10 22:13 ` Linas Vepstas
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).