[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Printf and quoting in general, SQL injection in particular
From: |
Jean Louis |
Subject: |
Re: Printf and quoting in general, SQL injection in particular |
Date: |
Tue, 22 Jun 2021 03:52:24 +0300 |
User-agent: |
Mutt/2.0.7+183 (3d24855) (2021-05-28) |
* Emanuel Berg via Users list for the GNU Emacs text editor
<help-gnu-emacs@gnu.org> [2021-06-22 03:35]:
> > I am thinking how can I make it safer for SQL queries.
>
> SQL injection isn't avoided by not assembling queries with
> string functions but by quoting user input.
It is impossible in `emacs-libpq' package to avoid formatting strings
and passing it to database.
What is possible is to minimize it so that users' input is
automatically quoted by the database by passing it as parameters
instead of passing data as parameters to `format'.
I prefer the latter. There is less code. I have improved after
Thomas's suggestions.
Now I am preparings statements:
(defun rcd-db-prepare-statement (name prepared pg)
(unless
(rcd-sql-first "SELECT statement FROM pg_prepared_statements WHERE name =
$1" pg name)
(rcd-sql prepared pg)))
(defun rcd-db-prepare-statements ()
(rcd-db-prepare-statement "persons_emails" "PREPARE persons_emails(int) AS
SELECT DISTINCT unnest(array[people_email1, people_email2, people_email3] ||
people_emailsobsolete) FROM people WHERE people_id = $1"))
Now function is small and nice:
(defun cf-emails-by-id (id)
"Returns list of emails for contact ID"
(delq nil (pq:query cf-db (format "EXECUTE persons_emails(%s)" id))))
and it was this big and without true necessity complex:
(defun cf-emails-by-id (id)
"Returns list of emails for contact ID"
(let* ((sql (format "SELECT people_email1, people_email2, people_email3 FROM
people WHERE people_id = %s" id))
(emails (rcd-sql-first sql cf-db))
(obsolete-emails (rcd-db-array-value-as-list "people"
"people_emailsobsolete" id cf-db))
(emails (append emails obsolete-emails))
(emails (seq-remove 'seq-empty-p emails))
(emails (mapcar (lambda (e) (when (string-match "@" e) e)) emails))
(emails (remove nil emails)))
emails))
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
- Re: Emacs Modular Configuration: the preferable way., (continued)
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Eli Zaretskii, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Eli Zaretskii, 2021/06/22
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/22
- Re: Emacs Modular Configuration: the preferable way., Eli Zaretskii, 2021/06/22
- Re: Emacs Modular Configuration: the preferable way., Stefan Monnier, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular,
Jean Louis <=
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Yuri Khan, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, tomas, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/28
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], tomas, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21