[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Printf and quoting in general, SQL injection in particular
From: |
Emanuel Berg |
Subject: |
Re: Printf and quoting in general, SQL injection in particular |
Date: |
Sat, 26 Jun 2021 09:57:48 +0200 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
Yuri Khan wrote:
>> Relax, this notion that you shouldn't construct file paths
>> by string functions, nor SQL queries for that matter, and
>> what more? hyperlinks?
>
> Hyperlinks, too.
>
> One of the requirements of URLs is that all non-ascii and
> some ascii characters be %-encoded when used in the path or
> query string, or punycode-encoded when used in the host
> name:
>
> (let ((base "http://ru.wikipedia.org/wiki/")
> (term "Гиперссылка")
> (joined (concat base term)))
> (assert (string= joined
> "https://ru.wikipedia.org/wiki/%D0%93%D0%B8%D0%BF%D0%B5%D1%80%D1%81%D1%81%D1%8B%D0%BB%D0%BA%D0%B0")))
> ;; alas, no
>
> Another rule is that resolving a relative reference
> containing a path against a base URL will drop the last
> segment of the base:
>
> (let ((base "http://example.org/foo")
> (href "bar")
> (resolved (concat base href)))
> (assert (string= resolved "http://example.org/bar"))) ;; also no
>
> String concat does not know any of these rules.
>
> It is okay to represent file names, SQL queries, and URLs as
> strings *internally*. It is okay to use string functions to
> implement high-level domain-specific functions. In many
> cases, interoperating with external code will also require
> these things represented as strings. But it is a good idea
> to use domain-specific functions to manipulate file names,
> queries, and URLs, rather than string functions, because
> this way you are less likely to violate those
> types’ invariants.
Interesting, what about typing? Not as error prone, because
you see the result?
So it is like a three stage hierarchy or procedure rather,
1. typing (just type, you see it anyway)
2. manipulate (domain-specific functions)
3. use
(For hyperlinks, step 1 could be done with a lot of functions
(protocol (domain (path (page (page-type ...) ? That'd just be
grotesque. I don't know if that'd be more safe, really?)
But OK, so instead of "anything goes, then verify input at
step 3" - which is where it matters BTW - the approach is
_type carefully_, then just exclusively use domain-specific
manipulators. So all you have to care about is the typing
part, because after that, it won't get messed up!
I see the point, but - to be honest, string manipulation at
this very basic level - and typing - I don't know, I feel kind
of comfortable doing BOTH by now :) But never say never...
I still don't understand what to replace my stuff with tho,
(let*((emacs-dir "~/.emacs.d")
(lisp-dir (format "%s/lisp" emacs-dir))
(init-dir (format "%s/emacs-init" emacs-dir))
(erc-dir (format "%s/erc" init-dir))
(gnus-dir (format "%s/gnus" init-dir))
(ide-dir (format "%s/ide" init-dir))
(w3m-dir (format "%s/w3m" init-dir))
(dirs (list
lisp-dir
init-dir
erc-dir
gnus-dir
ide-dir
w3m-dir
))) ...
--
underground experts united
https://dataswamp.org/~incal
- Re: Emacs Modular Configuration: the preferable way., (continued)
- Re: Emacs Modular Configuration: the preferable way., Stefan Monnier, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Re: Emacs Modular Configuration: the preferable way., Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular, Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Yuri Khan, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular,
Emanuel Berg <=
- Re: Printf and quoting in general, SQL injection in particular, tomas, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular, Jean Louis, 2021/06/28
- Re: Emacs Modular Configuration: the preferable way., Jean Louis, 2021/06/21
- Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], tomas, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/21
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/26
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Jean Louis, 2021/06/28
- Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way], Emanuel Berg, 2021/06/21