Re: [AOLSERVER] nssqlite3 troubles

Thu, 07 Feb 2008 11:47:36 -0800 

[EMAIL PROTECTED] wrote:


The select proc is only in the pg driver in order to support some ancient
AOLserver 2 functionality that I doubt anyone else uses any more.


Then should it be removed?  (in someone's copious free time...)


It shouldn't appear in your sqllite3 driver, IMO.



Could you expand on this?  You've got way more experience with the db 
drivers than I do so I'm inclined to take your advice, but I'm curious 
why you think a unified exec is better than separate select/dml/generic 
functions.



Aside from that, do you also think the generic function should be 
preferred over the specific function if both are defined?




I suggest you implement stephen deasy's straightforward check that
differentiates between queries that return rows (i.e. SELECT queries but
usig SQL Lite's parser) to differentiate between NS_ROWS and NS_DML
queries.

As far as security goes, no one should allow for the direct execution of
external SQL anyway, not even a SELECT.  If someone's code breaks because
they execute a "DROP TABLE" statement sent to their site via a query
string or whatever, there's not much reason to have sympathy for them.



Yes, everyone should check their inputs to avoid this, but things 
sometimes slip through.  What I worry about is a high-profile 
sql-injection vulnerability being discovered leading to manager-esque 
types saying "AOLserver is inherently insecure because of how it handles 
database queries, so we can't use it."  (It hasn't slowed down php tho.)



One of my few gripes about the ns_db interface is that you can only pass 
raw sql instead of being able to use bind variables.  It makes the 
correct code more verbose and the simple code insecure.  I wish I could 
write my queries as

 ns_db select $db "select * from users where id = ?" $user
instead of
 ns_db select $db "select * from users where id = [ns_dbquotevalue $user]"

Yes, it's a straightforward wrapper function to do that (although you 
wouldn't get the performance benefits from a stored prepared statement 
that are theoretically possible) but having it as core functionality 
would be nicer.


-J


--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]> 
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: 
field of your email blank.






















					Reply via email to