Re: ustring compose escaping capability

From: Balazs Scheidler <bazsi balabit hu>
To: paul linuxaudiosystems com
Cc: gtkmm-list gnome org
Subject: Re: ustring compose escaping capability
Date: Wed, 23 Jan 2008 17:39:58 +0100

On Wed, 2008-01-23 at 11:02 -0500, Paul Davis wrote:
> On Wed, 2008-01-23 at 10:36 +0100, Szilard Pfeiffer wrote:
> > I hope there will be no misunderstanding if I write it step-by-step: 
> > 
> > 1. in the glibmm there is an ustring::compose API 
> > 2. it is not possible to escaping with this API 
> > 3. it would be useful for us (my colleges and me) and maybe for
> > others 
> > 4. we have a potential solution (without API incompatibility) 
> > 5. with some work i can create a patch for you 
> > 6. it would be lovely if you integrated our patch to the glibmm 
> > 
> > Do you plan to implement your own solution to the problem? 
> > May I hope you integrate our solution to the glibmm if you find it
> > correct? 
> > 
> > regards 
> > Szilard 
> > 
> > p.s.:
> > 
> > In this case escaping means string conversion. I think something like
> > the following:
> > 
> > ustring::compose("SELECT * FROM table_name WHERE pub='%1'", "Joe's")
> > 
> > The result of the composition should be "SELECT * FROM table_name
> > WHERE pub='Joe\'s'", but without escaping it will be "SELECT * FROM
> > table_name WHERE pub='Joe's'", which is an incorrect SQL command.
> 
> its totally wrong to do this within the compose code.
> 
> the function you want is much more general:
> 
> ustring::compose ("SELECT * FROM table_name WHERE pub='%1'",
> make_legal_sql ("Joe's"))
> 
> ustring make_legal_sql(const ustring&) is a critical function because it
> is (presumably) accepting user input and passing it to an SQL execution
> engine. any user input should be thoroughly "scrubbed" before this
> happens because of the potential security implications. simply escaping
> quotes is only the start of what is needed (although its a big part).

In my humble opinion it is totally wrong in the way you describe.

Suppose you have 100 different queries, each 2 different arguments (on
average), you state that calling make_legal_sql() 200 times is a safer
approach than providing the same functionality in one place in compose?

I'd bet that everyone would forget at least one make_legal_sql()
invocation.

What does make_legal_sql() do in your example? I say that everything it
does can be done in the escaping mechanism that we described. Under the
term "escaping" I mean to do whatever transformation on the string
necessary to make it sane in the specific context.

-- 
Bazsi

Follow-Ups:
- Re: ustring compose escaping capability
  - From: Paul Davis

References:
- ustring compose escaping capability
  - From: =?ISO-8859-1?Q?Szil=E1rd_Pfeiffer?=
- Re: ustring compose escaping capability
  - From: Jonathon Jongsma
- Re: ustring compose escaping capability
  - From: Szilard Pfeiffer
- Re: ustring compose escaping capability
  - From: Paul Davis

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]