From: ludo@gnu.org (Ludovic Courtès)
To: Danny Milosavljevic <dannym@scratchpost.org>
Cc: 30386@debbugs.gnu.org
Subject: [bug#30386] [PATCH v2 cuirass] database: Prevent SQL injection.
Date: Fri, 09 Feb 2018 17:05:34 +0100 [thread overview]
Message-ID: <87k1vmywq9.fsf@gnu.org> (raw)
In-Reply-To: <20180209121612.09a0cf53@scratchpost.org> (Danny Milosavljevic's message of "Fri, 9 Feb 2018 12:16:11 +0100")
Danny Milosavljevic <dannym@scratchpost.org> skribis:
>> optimization looks good, provided the extra conditions don’t make sqlite
>> slower.
>
> Compared to parsing the SQL text again and again (which is dead slow), I think
> an extra NULL check *on the same field* is not going to matter at all.
>
> Even compared to using lots of main memory and thus not being able to use
> the processor's cache (if we had lots of prepared statements), I think an
> extra NULL check is still better :)
>
> Of course once we have a lot of data in the tables, the actual lookup costs
> will dwarf any setup costs. Then still, it's checking the same field that's
> used anyway, so the extra cost should be neglible.
Sounds good, let’s do that then.
>> It might allow us to use ‘sqlite-exec’ directly, and thus
>> benefit from the binding support in there, as in:
>>
>> (sqlite-exec db "… WHERE " id " is NULL or …")
>
> I added sqlite-bind-arguments with keyword arguments specifically so sqlite-exec
> doesn't suck.
>
> So it would be like (sqlite-exec db "SELECT … :a … :b … :a"
> #:a 42
> #:b 2)
>
> Before, it was:
>
> (sqlite-exec db "SELECT … ? … ? … ?"
> 42
> 2
> 42)
Right, but now it’s as I wrote above: you can include arguments in the
middle of the SQL strings, and ‘sqlite-exec’ takes care of turning
that into question marks and so on:
https://git.savannah.gnu.org/cgit/guix/guix-cuirass.git/commit/?id=b0c39b31f61cfc494e0dfbe823b3fe4275efbc7a
Anyway, we can support both the keyword style you show above, and the
other thing I mention, and use whichever is most convenient for the code
at hand.
I find the ‘sqlite-exec’ convenient for simple cases where the query is
a literal, but the keyword style might be more convenient for complex
queries like ‘db-get-builds’.
Thanks,
Ludo’.
next prev parent reply other threads:[~2018-02-09 16:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-07 23:12 [bug#30386] [PATCH cuirass] database: Prevent SQL injection Danny Milosavljevic
2018-02-08 16:34 ` [bug#30386] [PATCH v2 " Danny Milosavljevic
2018-02-09 9:51 ` Ludovic Courtès
2018-02-09 11:16 ` Danny Milosavljevic
2018-02-09 16:05 ` Ludovic Courtès [this message]
2018-02-09 16:45 ` Danny Milosavljevic
2018-03-02 12:59 ` bug#30386: " Ludovic Courtès
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87k1vmywq9.fsf@gnu.org \
--to=ludo@gnu.org \
--cc=30386@debbugs.gnu.org \
--cc=dannym@scratchpost.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).