SQL injection with guile-pg

guile-user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SQL injection with guile-pg

From:	Greg Troxel
Subject:	SQL injection with guile-pg
Date:	Thu, 06 Jan 2005 11:52:29 -0500

I'm writing some code with guile-pg, and on reading:

  http://www.unixwiz.net/techtips/sql-injection.html

went to check my code.

My application sends multicast packets with key/value pairs using the
print representation of alists, basically.  On receipt of a packet from
host "foo", the strings are updated in a table with columns hostname,
key and value.
I am using the single-table abstraction for most of this, and find
that it quotes properly (using sql-quote in postgres-tables.scm) when
using type converters.

However, in order to delete the old value, and to look up values, I
used a where clause that I had constructed.  This turned out to be
vulnerable since it did not quote.

My code looked something like this

;; Make where clause for hostname and key
(define (ssp-where-body hostname key)
  (string-append "hostname = '" hostname
                  "' and key = '" key "'"))

(define (ssp-where hostname key)
  (where-clausifier (ssp-where-body hostname key)))

;; Fetch value for hostname and key.  Return #f if not in database.
;; Return 'multiple if there are multiple values (this is an error,
;; but ssp-delete still should delete them in this case.
(define-public (ssp-fetch hostname key)
  (let
      ((r
      (((ssp-manager) 'select)
       "value"
        (ssp-where hostname key))))
    (if (and (equal? 'PGRES_TUPLES_OK (pg-result-status r))
         (> (pg-ntuples r) 0))
         (if (= 1 (pg-ntuples r))
             (pg-getvalue r 0 0)
                 'multiple)
                 #f)))

With that, the following dropped my table:

(ssp-fetch "foobar" "test'; drop table ssp; select * from configuredlocation 
where hostname = 'foo")

So, I changed to


With that, inserting unreasonable strings worked fine:

guile> (ssp-update "foobar" "test'; drop table ssp; select * from 
configuredlocation where hostname = 'foo" "bar")
#<PG-RESULT:60:PGRES_COMMAND_OK:0:0>


psql# select * from ssp;
 hostname |                                      key                            
          | value 
----------+-------------------------------------------------------------------------------+-------
 foobar   | test'; drop table ssp; select * from configuredlocation where 
hostname = 'foo | bar
(1 row)

guile> (ssp-fetch "foobar" "test'; drop table ssp; select * from 
configuredlocation where hostname = 'foo")
"bar"


I don't mean to criticize guile-pg; the error above was mine in using
input data unquoted in a query, and is a standard SQL newbie error.

It would be nice, though, to have sql-quote as a user-accessible procedure.

It would be further cool to do two things:

  use bound parameters, so that the strings aren't part of the sql
  command, but are passed as data


  have some support to make a sql command fragment with safe/quoted type 
conversion, perhaps something like
  (sql-prep "select foo from bar where a = " (list 'text s) ";")
  where s is a string.

Thanks to ttn for maintaining guile-pg; despite my wishes for more I'm
glad to be doing things in guile rather than perl.

[Prev in Thread]

Current Thread

[Next in Thread]

SQL injection with guile-pg, Greg Troxel <=

Prev by Date: Re: g-wrap - apt-get installs 2 different versions ?
Next by Date: Re: The future: accessing vectors, arrays, etc from C
Previous by thread: sales leads doctors' american directory, 40, 000 hospitals, 25, 000 nursing homes and 400, 000 doctors.
Next by thread: Guile scripts and setuid bit -> trouble
Index(es):
- Date
- Thread