help-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Printf and quoting in general, SQL injection in particular [was: Ema


From: Emanuel Berg
Subject: Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way]
Date: Sat, 26 Jun 2021 08:31:44 +0200
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux)

Jean Louis wrote:

>>> I agree on that. But we cannot possibly expect all
>>> possible dangers to be known by all possible programmers
>>> at all times especially on this mailing list
>> 
>> OK, so the SQL injection is a common attack vector, but
>> what should we call this issue?
>
> It is probably lack of database administration skills. It is
> nothing related to Emacs really.

It doesn't? :)

> There is nothing special to SQL then to any other kind of
> user's input. In fact, PostgreSQL and MySQL or MariaDB are
> rather safe databases.

I think that has turned into a schoolbook example because it
has a cool name and everyone will understand it instantly.
So it can serve the educational purpose to illuminate this in
all of computing to not execute or use user input, without
checking it out first. Indeed it would surprise me if you
could just do it out-of-the-box for modern database management
systems and expect it to be just wide open there for you to
do it.

> On the other hand injecting simple malicious Emacs Lisp
> anywhere in any file is as a possible option omni-present on
> Internet, and we don't even speak about that.

Well, it doesn't work like that, really.

> Thousands of users are blindly accepting programs from MELPA

Ha ha, thousands of users are doing that blindly! My, my.
How many people are doing it with ONE EYE open, you think?

M-x how-many RET

> And then we worry about possible SQL injections in Emacs
> Lisp.

No we aren't...

> Bounty is US $10 from my side if somebody succeeds to SQL
> inject in my software a DROP of a table.

But where are your tables?

-- 
underground experts united
https://dataswamp.org/~incal




reply via email to

[Prev in Thread] Current Thread [Next in Thread]