help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Printf and quoting in general, SQL injection in particular


From: Jean Louis
Subject: Re: Printf and quoting in general, SQL injection in particular
Date: Tue, 22 Jun 2021 03:52:24 +0300
User-agent: Mutt/2.0.7+183 (3d24855) (2021-05-28)

* Emanuel Berg via Users list for the GNU Emacs text editor 
<help-gnu-emacs@gnu.org> [2021-06-22 03:35]:
> > I am thinking how can I make it safer for SQL queries.
> 
> SQL injection isn't avoided by not assembling queries with
> string functions but by quoting user input.

It is impossible in `emacs-libpq' package to avoid formatting strings
and passing it to database.

What is possible is to minimize it so that users' input is
automatically quoted by the database by passing it as parameters
instead of passing data as parameters to `format'.

I prefer the latter. There is less code. I have improved after
Thomas's suggestions.

Now I am preparings statements:

(defun rcd-db-prepare-statement (name prepared pg)
  (unless
      (rcd-sql-first "SELECT statement FROM pg_prepared_statements WHERE name = 
$1" pg name)
    (rcd-sql prepared pg)))

(defun rcd-db-prepare-statements ()
  (rcd-db-prepare-statement "persons_emails" "PREPARE persons_emails(int) AS 
SELECT DISTINCT unnest(array[people_email1, people_email2, people_email3] || 
people_emailsobsolete) FROM people WHERE people_id = $1"))

Now function is small and nice:

(defun cf-emails-by-id (id)
  "Returns list of emails for contact ID"
  (delq nil (pq:query cf-db (format "EXECUTE persons_emails(%s)" id))))

and it was this big and without true necessity complex:

(defun cf-emails-by-id (id)
  "Returns list of emails for contact ID"
  (let* ((sql (format "SELECT people_email1, people_email2, people_email3 FROM 
people WHERE people_id = %s" id))
         (emails (rcd-sql-first sql cf-db))
         (obsolete-emails (rcd-db-array-value-as-list "people" 
"people_emailsobsolete" id cf-db))
         (emails (append emails obsolete-emails))
         (emails (seq-remove 'seq-empty-p emails))
         (emails (mapcar (lambda (e) (when (string-match "@" e) e)) emails))
         (emails (remove nil emails)))
    emails))


-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/



reply via email to

[Prev in Thread] Current Thread [Next in Thread]