[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Prevent SQL Injection in DBI
|
From: |
Linas Vepstas |
|
Subject: |
Re: Prevent SQL Injection in DBI |
|
Date: |
Mon, 10 Jul 2017 17:13:05 -0500 |
I don't think guile-dbi does this safety check. You are welcome to add it.
Since gna.org is dead, I moved everything over to
https://github.com/opencog/guile-dbi
--linas
On Mon, Mar 27, 2017 at 1:24 PM, Christopher Allan Webber <
address@hidden> wrote:
> Jakub Jankiewicz writes:
>
> > Hi all,
> >
> > I want to use guile-dbi with unsafe user input. I have code like this:
> >
> > (dbi-query db-obj (string-append "SELECT * FROM users WHERE username = '"
> > username
> > "'"))
> >
> > How can I escape username given from user to prevent sql injection?
> >
> > I could validate username to only contain letters using [a-zA-Z] regex
> but
> > what about other languages that have non Latin letters and names like
> O'Conor?
> > This will also don't work for password that may have special characters.
>
> guile-squee is pretty immature but I do think it does this one bit
> correctly... parameters to the procedure shouldn't be substituted in the
> string, they should be provided as additional arguments, like
>
> (exec-query db-obj "SELECT * FROM users WHERE username=$1"
> '("alice"))
>
> I seem to remember trying to find out if this was possible to do in
> dbi-query, and not succeeding at finding such a route? (guile-dbi,
> unlike guile-squee, has some maturity though...)
>
>
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Prevent SQL Injection in DBI,
Linas Vepstas <=