[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Printf and quoting in general, SQL injection in particular [was: Ema
|
From: |
Jean Louis |
|
Subject: |
Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way] |
|
Date: |
Tue, 22 Jun 2021 00:29:28 +0300 |
|
User-agent: |
Mutt/2.0.7+183 (3d24855) (2021-05-28) |
* tomas@tuxteam.de <tomas@tuxteam.de> [2021-06-22 00:17]:
> > the danger mentioned on the funny comic is practically non-existent as
> > it will never take place on my side [...]
>
> But your side is not "the world", and therefore Eli's warning was
> spot-on. Someone will browse the mail archives and copy your solution
> without knowing the dangers.
I agree on that. But we cannot possibly expect all possible dangers to
be known by all possible programmers at all times especially on this
mailing list, and then in so many external Emacs Packages. My
intention to improve is (should) be perceivable. The email you are
replying to is a proof that I did not claim it is "solution" at
all. Quite contrary, I have validated your point and found 400+
possible problems in the program. It should be clear it is not a
definite solution to every reader. Programs develop. They are never
perfect until they get perfect.
Without a single occurence of the incident with SQL it is exaggeration
to say there is practical danger, rather hypothetical danger.
Then when we speak of the PostgreSQL, users should anyway not be given
permissions to DROP tables as that should be left to
administrators. There is similar approach to updates of tables, there
is row level security and users can update whatever they are permitted
to, but not what they are not permitted to. All the dangers we speak
about are usually solved at the database level.
> > I am heavy user of the Emacs package: emacs-libpq @ Github
> > https://github.com/anse1/emacs-libpq
>
> No idea and no bandwidth to read it all. If you are tied to
> PostgreSQL (a good choice, I'd say), consider using prepared
> queries: they do what client-side template expansion (even the
> careful kind, with unescaping and all), and I'd expect them to
> do it much better, since PostgreSQL knows its own syntax best.
I will do, thanks.
--
Jean
Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns
In support of Richard M. Stallman
https://stallmansupport.org/
- Re: Emacs Modular Configuration: the preferable way., (continued)
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Yuri Khan, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, tomas, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/28
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], tomas, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way],
Jean Louis <=
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/28
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Eli Zaretskii, 2021/06/22
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/22
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Eli Zaretskii, 2021/06/22
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/22
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Eli Zaretskii, 2021/06/22