Re: Prevent SQL Injection in DBI

guile-user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Prevent SQL Injection in DBI

From:	Christopher Allan Webber
Subject:	Re: Prevent SQL Injection in DBI
Date:	Mon, 27 Mar 2017 13:24:47 -0500
User-agent:	mu4e 0.9.18; emacs 25.1.1

Jakub Jankiewicz writes:

> Hi all,
>
> I want to use guile-dbi with unsafe user input. I have code like this:
>
> (dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '"
>                                  username
>                                  "'"))
>
> How can I escape username given from user to prevent sql injection?
>
> I could validate username to only contain letters using [a-zA-Z] regex but
> what about other languages that have non Latin letters and names like O'Conor?
> This will also don't work for password that may have special characters.

guile-squee is pretty immature but I do think it does this one bit
correctly... parameters to the procedure shouldn't be substituted in the
string, they should be provided as additional arguments, like

  (exec-query db-obj "SELECT * FROM users WHERE username=$1"
              '("alice"))

I seem to remember trying to find out if this was possible to do in
dbi-query, and not succeeding at finding such a route?  (guile-dbi,
unlike guile-squee, has some maturity though...)

[Prev in Thread]

Current Thread

[Next in Thread]

Prevent SQL Injection in DBI, Jakub Jankiewicz, 2017/03/26
- Re: Prevent SQL Injection in DBI, Christopher Allan Webber <=

Prev by Date: Prevent SQL Injection in DBI
Next by Date: Error compiling guile modules with guile extended program
Previous by thread: Prevent SQL Injection in DBI
Next by thread: Error compiling guile modules with guile extended program
Index(es):
- Date
- Thread