Re: [libdbi-users] libdbi and SQL Injection
Am 2014-01-10 14:17, schrieb Markus Hoenicka: if I understand you correctly, you attempt to insert a value containing the string %s Saints going down tonight! using the libdbi function dbi_conn_queryf(). Thing is, dbi_conn_queryf() is intended to make dbi_conn_query() behave somewhat like sprintf() in that you can specify a formatting string containing placeholders like %s, followed by parameters that are filled in. If you want to preserve the %s literally, you either need to escape or quote the values properly, or you should rather use dbi_conn_query() which sends the string parameter to the db engine literally. You still need to watch out for proper quoting and escaping as per the language specs of your db engine. I forgot to mention that the dbi_conn_quote_string() and dbi_conn_escape_string() functions and their relatives can do the quoting and escaping for you, please check the manual. regards, Markus -- Markus Hoenicka http://www.mhoenicka.de AQ score 38 -- CenturyLink Cloud: The Leader in Enterprise Cloud Services. Learn Why More Businesses Are Choosing CenturyLink Cloud For Critical Workloads, Development Environments Everything In Between. Get a Quote or Start a Free Trial Today. http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___ libdbi-users mailing list libdbi-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/libdbi-users
Re: [libdbi-users] libdbi and SQL Injection
At 2014-01-10 15:56, Rick Robinson was heard to say:
I have tried the following, which I believe is on the right track but the
program crashes as soon as it gets to dbi_conn_quote_string_copy. I try to
use dbi_conn_quote_string_copy to keep the bad string locked down, and then
use dbi_conn_queryf to read the new locked down value into the db. Sadly, I
am not the greatest C coder so I am probably overlooking something relatively
simple to make this work.
char *pTitle=NULL;
char *pTitle2=NULL;
if ((ch)-player.title)
{
sprintf (pTitle, (ch)-player.title);
}
else
{
sprintf (pTitle, None);
}
dbi_conn_quote_string_copy(conn, pTitle, pTitle2);
sprintf (sql_columns, name, title);
sprintf (sql_string, REPLACE into data (%s) VALUES (%s, %s),
sql_columns,
GET_NAME (ch),
pTitle2 );
result = dbi_conn_queryf (conn, sql_string);
Well, this is not a list about C coding, but it looks like you sprintf()
some string to a non-allocated buffer. I'm just wondering why the code
doesn't crash in sprintf() then.
In any case, it is far simpler to use dbi_conn_quote_string_copy() on
the assembled SQL query string rather than on single items. E.g. the
quoted string is surrounded by escape characters, and you subsequently
wrap another pair around the title. This does not seem to generate valid
SQL. Also, if you don't use the printf()-like capabilities of
dbi_conn_queryf(), there is no point in using this function. Use
dbi_conn_query() instead.
regards,
Markus
--
Markus Hoenicka
http://www.mhoenicka.de
AQ score 38
--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___
libdbi-users mailing list
libdbi-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libdbi-users
Re: [libdbi-users] libdbi and SQL Injection
As you suggested, switch to dbi_conn_query and it took care of the issue.
Appreciate the quick responses and suggestions. Ill be spending more time
on the manual this week:)
Thanks,
Rj
On Fri, Jan 10, 2014 at 10:23 AM, Markus Hoenicka
markus.hoeni...@mhoenicka.de wrote:
At 2014-01-10 15:56, Rick Robinson was heard to say:
I have tried the following, which I believe is on the right track but the
program crashes as soon as it gets to dbi_conn_quote_string_copy. I try to
use dbi_conn_quote_string_copy to keep the bad string locked down, and then
use dbi_conn_queryf to read the new locked down value into the db. Sadly, I
am not the greatest C coder so I am probably overlooking something
relatively simple to make this work.
char *pTitle=NULL;
char *pTitle2=NULL;
if ((ch)-player.title)
{
sprintf (pTitle, (ch)-player.title);
}
else
{
sprintf (pTitle, None);
}
dbi_conn_quote_string_copy(conn, pTitle, pTitle2);
sprintf (sql_columns, name, title);
sprintf (sql_string, REPLACE into data (%s) VALUES (\%s\,
\%s\),
sql_columns,
GET_NAME (ch),
pTitle2 );
result = dbi_conn_queryf (conn, sql_string);
Well, this is not a list about C coding, but it looks like you sprintf() some
string to a non-allocated buffer. I'm just wondering why the code doesn't
crash in sprintf() then.
In any case, it is far simpler to use dbi_conn_quote_string_copy() on the
assembled SQL query string rather than on single items. E.g. the quoted
string is surrounded by escape characters, and you subsequently wrap another
pair around the title. This does not seem to generate valid SQL. Also, if you
don't use the printf()-like capabilities of dbi_conn_queryf(), there is no
point in using this function. Use dbi_conn_query() instead.
regards,
Markus
--
Markus Hoenickahttp://www.mhoenicka.de
AQ score 38
--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk
___
libdbi-users mailing list
libdbi-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libdbi-users
--
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431iu=/4140/ostg.clktrk___
libdbi-users mailing list
libdbi-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/libdbi-users
