Hello!
On Thursday 24 September 2009 17:56:08 Bas Scheffers wrote:
> The two main attack vectors for any web application are: remote code
> execution and SQL injection. The first one could occur if you
> dynamically create Tcl code using values sent by a user (either as
> form data, part of the URL, part of headers, anything) and then use
> subst or eval on it. Don't do that! :)
And Tcl 8.5 has very useful operator {*} for list substitution.
> SQL injection (google it) is
> pretty much the same, except on the sql level. Always use
> ns_sqlquotevalue or a routine you create yourself to properly quote
> ANY value. Just because you are expecting a numeric value to come
> back, you can't think that you won't have to check it. You must check
> if it is a number value. ("string is integer -strict" is your friend)
You can quote all values as text and make type translation when is needed.
As example, for PostgreSQL
proc ns_dbquotevalue {value {type text}} {
if {[string match "" $value]} {
return "''"
}
regsub -all "'" $value "''" value
if {$type eq "text"} {return "'$value'"}
return "'$value'::$type"
}
A query will like to
puts "select [ns_dbquotevalue 999 int];"
select '999'::int;
Best regards, Alexey Pechnikov.
http://pechnikov.tel/
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
