The problem is that postgresql before 8.2 was not conform to the SQL
specs and uses
\' to escape quotes instead of ''
even in 8.2 it was optional and had to be set with the command that
gives you trouble.
1)
One thing you can do is use this validator
class IS_SAFE():
def __init__(self): pass
def __call__(self,value):
if '\\' in value: return (value,'unsafe')
return (value,None)
for every input field that accepts a string.
2)
You could modify gluon/sql.py executesql() to replace "\" with "\\"
and "''" with "\'" before it calls execute but would require testing
and would only work with old version of postgresql.
On Sep 30, 8:31 am, Oleg <[email protected]> wrote:
> Oops.. You are right.. hm... what would you recommend in this case?
> Is it possible to make some kind protection on web2py level?
>
> Should I just apply this patch always locally for every new version
> web2py? :)
>
> On Sep 30, 3:14 pm, mdipierro <[email protected]> wrote:
>
> > You app is vulnerable to SQL injections. Anybody can get in. period.
>
> > On Sep 30, 5:30 am, Oleg <[email protected]> wrote:
>
> > > Much older :) My client has PostgreSQL 7.4. They have there some
> > > sensitive pharma-data and don't wanna
> > > migrate to new one in next few years.. :( :(
>
> > > What kind of vulnerability do you mean? What would you recommend in
> > > this case?
>
> > > Thank you
>
> > > On Sep 30, 2:38 am, mdipierro <[email protected]> wrote:
>
> > > > Which postgresql version to you have? If you don't have this parameter
> > > > you probably have 8.1 or older. That causes a major security
> > > > vulnerability with web2py.
>
> > > > On Sep 29, 4:44 pm, Oleg Butovich <[email protected]> wrote:
>
> > > > > subj. with error:
> > > > > RuntimeError: unrecognized configuration parameter
> > > > > "standard_conforming_strings"
> > > > > (tried 5 times)
>
> > > > > I propose set standard_conforming_strings only if it defined.. :)
>
> > > > > See attached patch
>
> > > > > legacy_postgres.patch
> > > > > 1KViewDownload
>
>
