[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Printf and quoting in general, SQL injection in particular [was: Emacs M
From: |
tomas |
Subject: |
Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way] |
Date: |
Mon, 21 Jun 2021 23:15:47 +0200 |
User-agent: |
Mutt/1.5.21 (2010-09-15) |
On Mon, Jun 21, 2021 at 11:36:25PM +0300, Jean Louis wrote:
> * tomas@tuxteam.de <tomas@tuxteam.de> [2021-06-21 17:12]:
> > But you still see extremely bad habits "out there" which wouldn't be
> > necessary these days -- because, well, they are "out there" (for
> > example: assebling SQL queries with sprintf [1]). They take a life
> > of their own :-)
> >
> > Cheers
> > [1] https://xkcd.com/327/
>
> Your small reference is definitely a possible danger if SQL input is
> anyhow exposed [...]
M< hint was rather a metaphor: using string operations on things that
aren't really strings (in the original case: file system paths) can
lead to surprising results.
> the danger mentioned on the funny comic is practically non-existent as
> it will never take place on my side [...]
But your side is not "the world", and therefore Eli's warning was
spot-on. Someone will browse the mail archives and copy your solution
without knowing the dangers.
> I am heavy user of the Emacs package: emacs-libpq @ Github
> https://github.com/anse1/emacs-libpq
No idea and no bandwidth to read it all. If you are tied to
PostgreSQL (a good choice, I'd say), consider using prepared
queries: they do what client-side template expansion (even the
careful kind, with unescaping and all), and I'd expect them to
do it much better, since PostgreSQL knows its own syntax best.
Cheers
- t
signature.asc
Description: Digital signature
- Re: Emacs Modular Configuration: the preferable way., (continued)
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Yuri Khan, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, tomas, 2021/06/26
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way],
tomas <=
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/28
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Eli Zaretskii, 2021/06/22
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/22
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Eli Zaretskii, 2021/06/22
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/22