this is the only proper way, and it relies on the underlying driver
implementation.
On Tuesday, September 13, 2016 at 5:08:30 PM UTC+2, Lisandro wrote:
>
> Thank you Niphlod.
> I've seen that db.executesql receives the "placeholders" argument in order
> to do the escaping.
> I've modified my code to this:
>
> def search():
> results = db.executesql('SELECT * FROM contenido WHERE tsv @@
> plainto_tsquery(%s)', placeholders=[request.vars.q])
> return dict(results=results)
>
> *Can you confirm that this is the proper way to do it? *
> I couldn't find much documentation about that, just this:
>
> - http://web2py.com/books/default/chapter/29/6#executesql
> -
>
> https://groups.google.com/forum/#!searchin/web2py/executesql$20placeholders$20escape%7Csort:relevance/web2py/kblhrTsVW6M/2vJ_afgty34J
>
>
> Thanks in advance!
>
>
>
> El martes, 13 de septiembre de 2016, 6:51:55 (UTC-3), Niphlod escribió:
>>
>> app/controller/function&q=everythingyoucanthinkof .
>>
>> NEVER . EVER. EVER. build queries without proper escaping.
>>
>> On Monday, September 12, 2016 at 3:12:50 PM UTC+2, Lisandro wrote:
>>>
>>> Hi there!
>>> I have a simple view with a form (with GET method), in order to allow my
>>> visitors to do some search.
>>> The controller/function that processes the get is this:
>>>
>>> def search():
>>> session.forget(response)
>>> query = "tsv @@ plainto_tsquery('%s')" % request.vars.q
>>> total = db.executesql('SELECT COUNT(*) FROM contenido WHERE %s' %
>>> query)
>>> results = db(query).select()
>>> return dict(results=results)
>>>
>>> As you can see, I use a tsv field to implement postgresql full text
>>> search. The funcion is working ok.
>>> But *yesterday, I had an attack attempt*, or something like that. In
>>> just one hour, some robot sent a lot of queries to that URL, putting
>>> "garbage" in the "q" parameter.
>>>
>>> How did I notice that? Well, *in just one hour around 500 error tickets
>>> were created* in the /errors folder. All the errors have this form:
>>>
>>> - unterminated quoted string at or near
>>> "'../../../../../../../../../../windows/win.ini" LINE 1: ...tsv @@
>>> plainto_tsquery('../../../... ^
>>> - unterminated quoted string at or near
>>> "'1some_inexistent_file_with_long_name" LINE 1: ...tsv @@
>>> plainto_tsquery('1some_ine... ^
>>> - unterminated quoted string at or near
>>> "'../../../../../../../../../../etc/passwd" LINE 1: ...tsv @@
>>> plainto_tsquery('../../../... ^
>>> - invalid byte sequence for encoding "UTF8": 0xf0 0x20 0x20 0xf0
>>> - invalid byte sequence for encoding "UTF8": 0xf6 0x22 0x20 0x6f
>>> - invalid byte sequence for encoding "UTF8": 0xa0
>>>
>>>
>>> *I've already tried to use the search form with those query strings, but
>>> I cannot reproduce the error.*
>>> *How could the robot send those bytes to the query function?*
>>>
>>> Of course I can add a try: except: block, however I was wondering how to
>>> reproduce the error, I wasn't able to do it.
>>> Any help will be appreciated.
>>>
>>> Thanks in advance!
>>> Regards,
>>> Lisandro.
>>>
>>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
