Re: [Pharo-users] SQL queries without injection vulnerability (DBXTalk)

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Re: [Pharo-users] SQL queries without injection vulnerability (DBXTalk)

Mariano Martinez Peck




I'm porting this program from PHP. It's a US Census browser, if you're curious: http://census.7gf.org . Anyway, it's basically one table and a huge pile of indexes and some set queries. Each page there is just a different query or two. I got through the front page and the about page with Seaside and PostgresV3 and it works great, but now I need to handle a query with the state as a parameter. In PHP (and JDBC, and Python's DBAPI), I can say "SELECT * FROM places WHERE state = ? ORDER BY population DESC" and then supply an array with the state in it, which fills in the '?' in the query.

Hi Daniel,

The sentence above could be a huge difference: 

"SELECT * FROM places WHERE state = ? ORDER BY population DESC"

One thing is a prepared statement. That means....the database can compile the query in advance, then reuse it later and then when you execute it all it does is to bind variables to arguments. This is mostly for performance reason. If you want this, no, as far as I remember, openDBX driver does not support prepared statements right now. 

If you simply mean to write the above in smalltalk code, then that's very easy:

'SELECT * FROM places WHERE state = {1} ORDER BY {2} DESC' format: #('FL' 'population')

and that answers

 'SELECT * FROM places WHERE state = FL ORDER BY population DESC'

but this is only at Smalltalk code, just an API facility. It has nothing to do with prepared statement. The database will directly receive the query.


Regarding the SQL injection, yes, we didn't implement the one provided by OpenDBX, but you can give it a try yourself....but you would need to recompile stuff. 

Also, as mentioned by Joachim, if you use Glorp, you are not likely to write the queries yourself..so at least that helps... but I don't know if Glorp provides something extra for sql injection. You could ask in glorp google group.

Cheers, 


--
Mariano
http://marianopeck.wordpress.com

--
You received this message because you are subscribed to the Google Groups "glorp-group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To post to this group, send email to [hidden email].
Visit this group at http://groups.google.com/group/glorp-group.
For more options, visit https://groups.google.com/groups/opt_out.