This is slightly outdated documentation but valid regarding encoding strings for various uses in roxen. http://docs.roxen.com/roxen/4.5/web_developer_manual/entity/encoding.xml
Change "where id=&form.id;" to "where id=&form.id:mysql;" and you will avoid escaping in mysql. Dave Hunter.. On Mon, Jun 30, 2014 at 10:30 AM, Michael A. Patton <[email protected]> wrote: > On my personal web site I have several sets of pages that use form > arguments for communication. It's been pointed out that I need to do > better validation to avoid injection attacks. Primarily, the various > pages are invoked with "?id=N" for some integer N. But, right now it > just uses that, for example, in a MySQL query "where id=&form.id;" > clause. That means that you could invoke the page with "?id=1 or true" > at the end and subvert the where clause. Actually, another test that I > recently added seems to fix this specific case. But, presumably, more > elaborate hacking could get the MySQL to do useful things for you. So > what I need is appropriate RXML that can _safely_ validate that form.id > is an integer (I already check the case where there's no match in the > table). > > The best trick I've come up with so far is: > <if expr='STRING(INT("&form.id;")) == "&form.id;"'> > But that is still subject to injection attacks, if you put double quotes > in the form argument. But, it seems to work against anything else... > > So, my question for the list is: Is there a good standard way to do form > argument validation in RXML? I can see doing it with some added Pike > code (a new if plugin that takes a var _name_ and validates the content > for you.) But from RXML everything I've thought of has problems with > some form of injection attack. > > If you want to see the actual pages, they are among other things, the > library catalog at <http://MAP.MAP-NE.com/Library/> (but these don't > even have that above test in them, yet, only the dev version does, so > please don't abuse this too much). > > ___ > /| /| /| \ Michael A. Patton, President [email protected] > / | / | /_|__/ MAP Network Engineering http://MAP-NE.com > / |/ |/ | Network Infrastructure design: Routing, DNS, more > >
