I always use bindings. e.g. "where id=:id" binding=":id=form.id"
On Mon, Jun 30, 2014 at 4:00 AM, David Hunter <[email protected] > wrote: > This is slightly outdated documentation but valid regarding encoding > strings for various uses in roxen. > http://docs.roxen.com/roxen/4.5/web_developer_manual/entity/encoding.xml > > Change "where id=&form.id;" to "where id=&form.id:mysql;" and you will > avoid escaping in mysql. > > Dave Hunter.. > > > > On Mon, Jun 30, 2014 at 10:30 AM, Michael A. Patton <[email protected]> > wrote: > >> On my personal web site I have several sets of pages that use form >> arguments for communication. It's been pointed out that I need to do >> better validation to avoid injection attacks. Primarily, the various >> pages are invoked with "?id=N" for some integer N. But, right now it >> just uses that, for example, in a MySQL query "where id=&form.id;" >> clause. That means that you could invoke the page with "?id=1 or true" >> at the end and subvert the where clause. Actually, another test that I >> recently added seems to fix this specific case. But, presumably, more >> elaborate hacking could get the MySQL to do useful things for you. So >> what I need is appropriate RXML that can _safely_ validate that form.id >> is an integer (I already check the case where there's no match in the >> table). >> >> The best trick I've come up with so far is: >> <if expr='STRING(INT("&form.id;")) == "&form.id;"'> >> But that is still subject to injection attacks, if you put double quotes >> in the form argument. But, it seems to work against anything else... >> >> So, my question for the list is: Is there a good standard way to do form >> argument validation in RXML? I can see doing it with some added Pike >> code (a new if plugin that takes a var _name_ and validates the content >> for you.) But from RXML everything I've thought of has problems with >> some form of injection attack. >> >> If you want to see the actual pages, they are among other things, the >> library catalog at <http://MAP.MAP-NE.com/Library/> (but these don't >> even have that above test in them, yet, only the dev version does, so >> please don't abuse this too much). >> >> ___ >> /| /| /| \ Michael A. Patton, President [email protected] >> / | / | /_|__/ MAP Network Engineering http://MAP-NE.com >> / |/ |/ | Network Infrastructure design: Routing, DNS, more >> >> > -- Marc Dirix Computers Schmeddingstraat 24 6361AZ Nuth
