Re: Printf and quoting in general, SQL injection in particular [was: Emacs Modular Configuration: the preferable way]

[Jean Louis]

* Emanuel Berg <moasenwood@zoho.eu> [2021-06-26 02:31]:
> > There is nothing special to SQL then to any other kind of
> > user's input. In fact, PostgreSQL and MySQL or MariaDB are
> > rather safe databases.
> 
> I think that has turned into a schoolbook example because it
> has a cool name and everyone will understand it instantly.
> So it can serve the educational purpose to illuminate this in
> all of computing to not execute or use user input, without
> checking it out first. Indeed it would surprise me if you
> could just do it out-of-the-box for modern database management
> systems and expect it to be just wide open there for you to
> do it.

There is way to go and that is by providing parameters that are automatically 
escaped.

pq:query is a module function.

(pq:query CONN COMMAND &rest PARAMETERS)

Execute COMMAND on CONN with optional PARAMETERS.

Run an SQL command on a connection obtained by ‘pq:connectdb’.
If PARAMETERS are used, you can reference them in COMMAND using
$1, $2, ..., $12.

Return the list of rows returned by the last statement in COMMAND.
Rows are returned as atomic values if the statement yields a single
column, or a vector of values if it yields more than one column.

I am anyway SQL escaping all of the input values to database. 

Since we talked I have moved to better workflow and now I am
first preparing one part of the SQL command without user's input
and then using the user's input as a parameter that prevents those problems.

I just guess it should be similar in MariaDB or MySQL. But I
don't use it due to lack of readline and command expansion.

> > On the other hand injecting simple malicious Emacs Lisp
> > anywhere in any file is as a possible option omni-present on
> > Internet, and we don't even speak about that.
> 
> Well, it doesn't work like that, really.

It is about the same danger. Practically there was never danger
on my side as it is me who is using the database which is motly
the case with many database applications. Problem comes with a
large users base where malicious people may start doing something
to the company or public or unknown crackers or script
kiddies. It is better not to classify possible problematic
sources and just do it more safe.

> > Thousands of users are blindly accepting programs from MELPA
> 
> Ha ha, thousands of users are doing that blindly! My, my.
> How many people are doing it with ONE EYE open, you think?

Well, without watching in the code. Click and install. There is
no real security involved and users don't watch what is being
installed, as Internet is large it is quite easy to create a game
and make backdoor in Emacs or do other malicious stuff. It is
also possible to make a module and do same. Until we know it, we
cannot know it.

> > Bounty is US $10 from my side if somebody succeeds to SQL
> > inject in my software a DROP of a table.
> 
> But where are your tables?

Find it for the bounty.

-- 
Jean

Take action in Free Software Foundation campaigns:
https://www.fsf.org/campaigns

In support of Richard M. Stallman
https://stallmansupport.org/