[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Printf and quoting in general, SQL injection in particular
From: |
Yuri Khan |
Subject: |
Re: Printf and quoting in general, SQL injection in particular |
Date: |
Sat, 26 Jun 2021 14:30:59 +0700 |
On Sat, 26 Jun 2021 at 13:56, Emanuel Berg via Users list for the GNU
Emacs text editor <help-gnu-emacs@gnu.org> wrote:
> Relax, this notion that you shouldn't construct file paths by
> string functions, nor SQL queries for that matter, and what
> more? hyperlinks?
Hyperlinks, too.
One of the requirements of URLs is that all non-ascii and some ascii
characters be %-encoded when used in the path or query string, or
punycode-encoded when used in the host name:
(let ((base "http://ru.wikipedia.org/wiki/")
(term "Гиперссылка")
(joined (concat base term)))
(assert (string= joined
"https://ru.wikipedia.org/wiki/%D0%93%D0%B8%D0%BF%D0%B5%D1%80%D1%81%D1%81%D1%8B%D0%BB%D0%BA%D0%B0")))
;; alas, no
Another rule is that resolving a relative reference containing a path
against a base URL will drop the last segment of the base:
(let ((base "http://example.org/foo")
(href "bar")
(resolved (concat base href)))
(assert (string= resolved "http://example.org/bar"))) ;; also no
String concat does not know any of these rules.
It is okay to represent file names, SQL queries, and URLs as strings
*internally*. It is okay to use string functions to implement
high-level domain-specific functions. In many cases, interoperating
with external code will also require these things represented as
strings. But it is a good idea to use domain-specific functions to
manipulate file names, queries, and URLs, rather than string
functions, because this way you are less likely to violate those
types’ invariants.
- Re: Emacs Modular Configuration: the preferable way., (continued)
- Re: Emacs Modular Configuration: the preferable way., Stefan Monnier, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular,
Yuri Khan <=
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, tomas, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/28
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], tomas, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/28