Re: ustring compose escaping capability
- From: Balazs Scheidler <bazsi balabit hu>
- To: paul linuxaudiosystems com
- Cc: gtkmm-list gnome org
- Subject: Re: ustring compose escaping capability
- Date: Wed, 23 Jan 2008 17:39:58 +0100
On Wed, 2008-01-23 at 11:02 -0500, Paul Davis wrote:
> On Wed, 2008-01-23 at 10:36 +0100, Szilard Pfeiffer wrote:
> > I hope there will be no misunderstanding if I write it step-by-step:
> > 1. in the glibmm there is an ustring::compose API
> > 2. it is not possible to escaping with this API
> > 3. it would be useful for us (my colleges and me) and maybe for
> > others
> > 4. we have a potential solution (without API incompatibility)
> > 5. with some work i can create a patch for you
> > 6. it would be lovely if you integrated our patch to the glibmm
> > Do you plan to implement your own solution to the problem?
> > May I hope you integrate our solution to the glibmm if you find it
> > correct?
> > regards
> > Szilard
> > p.s.:
> > In this case escaping means string conversion. I think something like
> > the following:
> > ustring::compose("SELECT * FROM table_name WHERE pub='%1'", "Joe's")
> > The result of the composition should be "SELECT * FROM table_name
> > WHERE pub='Joe\'s'", but without escaping it will be "SELECT * FROM
> > table_name WHERE pub='Joe's'", which is an incorrect SQL command.
> its totally wrong to do this within the compose code.
> the function you want is much more general:
> ustring::compose ("SELECT * FROM table_name WHERE pub='%1'",
> make_legal_sql ("Joe's"))
> ustring make_legal_sql(const ustring&) is a critical function because it
> is (presumably) accepting user input and passing it to an SQL execution
> engine. any user input should be thoroughly "scrubbed" before this
> happens because of the potential security implications. simply escaping
> quotes is only the start of what is needed (although its a big part).
In my humble opinion it is totally wrong in the way you describe.
Suppose you have 100 different queries, each 2 different arguments (on
average), you state that calling make_legal_sql() 200 times is a safer
approach than providing the same functionality in one place in compose?
I'd bet that everyone would forget at least one make_legal_sql()
What does make_legal_sql() do in your example? I say that everything it
does can be done in the escaping mechanism that we described. Under the
term "escaping" I mean to do whatever transformation on the string
necessary to make it sane in the specific context.
] [Thread Prev