help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Printf and quoting in general, SQL injection in particular [was: Emacs M


From: tomas
Subject: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way]
Date: Mon, 21 Jun 2021 23:15:47 +0200
User-agent: Mutt/1.5.21 (2010-09-15)

On Mon, Jun 21, 2021 at 11:36:25PM +0300, Jean Louis wrote:
> * tomas@tuxteam.de <tomas@tuxteam.de> [2021-06-21 17:12]:
> > But you still see extremely bad habits "out there" which wouldn't be
> > necessary these days -- because, well, they are "out there" (for
> > example: assebling SQL queries with sprintf [1]). They take a life
> > of their own :-)
> > 
> > Cheers
> > [1] https://xkcd.com/327/
> 
> Your small reference is definitely a possible danger if SQL input is
> anyhow exposed [...]

M< hint was rather a metaphor: using string operations on things that
aren't really strings (in the original case: file system paths) can
lead to surprising results.

> the danger mentioned on the funny comic is practically non-existent as
> it will never take place on my side [...]

But your side is not "the world", and therefore Eli's warning was
spot-on. Someone will browse the mail archives and copy your solution
without knowing the dangers.

> I am heavy user of the Emacs package: emacs-libpq @ Github
> https://github.com/anse1/emacs-libpq

No idea and no bandwidth to read it all. If you are tied to
PostgreSQL (a good choice, I'd say), consider using prepared
queries: they do what client-side template expansion (even the
careful kind, with unescaping and all), and I'd expect them to
do it much better, since PostgreSQL knows its own syntax best.

Cheers
 - t

Attachment: signature.asc
Description: Digital signature


reply via email to

[Prev in Thread] Current Thread [Next in Thread]