The short answer is yes, it might be vulnerable; it depends on what
scrubbing you do of your input data.
The good news it that it's also fairly easy to fix. If you're using
openacs then there's already a set of tools
(check_for_form_variable_naughtiness) for checking what is being passed
into your forms.
Otherwise, you could add in a site-wide filter that checks various
well-known form vars (such as "id") for stuff that shouldn't be there
(like non-integers).
Unfortunately the postgres driver doesn't protect against against dml
injection. I'm fairly certain it wasn't possible to do so before
postgres 8 because of the APIs available, and the driver probably hasn't
been updated to use the new APIs (PQexecParams instead of PQexec) and
besides, doing so would probably break existing code.
There's another subtler problem too, in that the db drivers support 3
different query methods - select, dml, and generic exec. However, if
the generic exec method is supported at all, then the (possibly) more
specific select or dml calls are not used.
-J
I've been alerted that a site I maintain, running on AOLserver 4.5.0
using the nspostgres driver, may be vulnerable to sql injection.
A typical adp page performs a query like this:
set sql_query "select * from sometable where entrynumber = $id"
set db [ns_db gethandle]
set selection [ns_db select $db $sql_query]
ns_db getrow $db $selection
...
I would guess that "ns_db select" would make any damaging injected dml
statements impossible. Is that correct?
In a previous discussion thread here ("ns_db and bind variable
support") I see "ns_db prepare..." mentioned. Is that a safer way to
perform db queries in adp pages?
/Björn
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
