> I've been alerted that a site I maintain, running on AOLserver 4.5.0
> using the nspostgres driver, may be vulnerable to sql injection.
>
> A typical adp page performs a query like this:
>
> set sql_query "select * from sometable where entrynumber = $id"
>
> In a previous discussion thread here ("ns_db and bind variable
> support") I see "ns_db prepare..." mentioned. Is that a safer way to
> perform db queries in adp pages?
Yes, you're vulnerable to a SQL injection attack in the example above, if the
"id" variable is coming from the user. Most every web programming language has
the same vulnerability.
You need to quote-protect any input from a user to prevent this attack. I use:
> proc sqlquote {in} {
> regsub -all ' $in '' out
> return $out
> }
otherwise the user can put an end-quote in the input they send you, and then
put their own sql statement in to execute. It's a very simple attack to perform.
ie your code should look like this:
> set sql_query "select * from sometable where entrynumber = [sqlquote $id]"
Note that SQLlite has built-in Tcl support that does this automatically, which
is very convenient.
-john
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
