On Thu, Sep 24, 2009 at 7:58 AM, Alexey Pechnikov
<[email protected]> wrote:
> Hello!
>
> On Thursday 24 September 2009 17:56:08 Bas Scheffers wrote:
>> The two main attack vectors for any web application are: remote code
>> execution and SQL injection. The first one could occur if you
>> dynamically create Tcl code using values sent by a user (either as
>> form data, part of the URL, part of headers, anything) and then use
>> subst or eval on it. Don't do that! :)
If you keep your sql code separate from the user supplied data, you
can use [subst]:
set sql {select * from emp where emp_id = $id}
set id [ns_queryget id 1]
#assume database does not care about quoted numeric types
# otherwise check with [string is double -strict $id]
set id '[string map {' ''} $id]
set subst_sql [subst $sql]
This requires complete control over the value of the sql code. The
best way to test your system of generating a sql query is to try it
out on a database table which stores sql code:
create table my_sql_queries (id integer, query text);
Then try to use a query:
set sql {insert into sql_queries values (nextval('my_sequence'), $query)}
> You can quote all values as text and make type translation when is needed.
> As example, for PostgreSQL
>
> proc ns_dbquotevalue {value {type text}} {
> if {[string match "" $value]} {
> return "''"
> }
> regsub -all "'" $value "''" value
> if {$type eq "text"} {return "'$value'"}
> return "'$value'::$type"
> }
Personally I would use [string is double -strict] and quote anything
that fails with surrounding quotes (always quote the value using
[string map {' ''} $value], or regsub, but [string map] is probably
faster. The above API has the potential to be incorrectly used by
developers (the same thing which causes sql injection problems). What
is better is a type system which handles each type in a separate API
and rejects unfound types. Here is an example, extensible type system:
http://junom.com/gitweb/gitweb.perl?p=tnt.git;a=blob;f=packages/db/tcl/type-procs.tcl;h=d6d9d
You also cannot allow the user to supply any part of the sql code, for
instance a table name, however it is possible to use a mapping of user
supplied values to sql code fragments which can be used with [subst].
tom jackson
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
