On Sun, Dec 6, 2009 at 9:27 PM, Don Baccus wrote:
> Just go away until you 1) understand the SQL standard and 2) Oracle.
Don! I am not the author of a database driver which cannot distinguish
the empty string and NULL, a driver for a database which can make the
distinction.
That is you.
When de
On 12/7/09 9:52 AM, Björn Þór Jónsson wrote:
> But [ns_dbquotevalue $id] works fine - so I should be pretty safe with that?
You will be "safe" in that user-supplied input contained in $id will not
be able to result in a SQL injection attack.
--
Dossy Shiobara | do...@panoptic.com |
Thanks all for the feedback!
The :id syntax doesn't work for me in this case (plain ADP pages in
AOLserver) and I guess that is OpenACS specific (I run one such instance).
But [ns_dbquotevalue $id] works fine - so I should be pretty safe with that?
For the record: I'm running PostgreSQL 8.1.4 a
Oh, it makes perfect sense within the formal framework of SQL. "no
value" is not the same as "a value which is empty".
The difference isn't as obvious with strings, but "i = 0" is not the
same as "I have no value for i". Unknowns are important.
In Tcl we do it typically by saying [info exis
On Dec 6, 2009, at 9:16 PM, Rusty Brooks wrote:
Why is it that you can't get "out" what you put "in"? 'is null'
doesn't make a lot of sense to me to begin with (please, just accept
test=NULL!)
Oh, it makes perfect sense within the formal framework of SQL. "no
value" is not the same as
On Dec 6, 2009, at 9:19 PM, Rusty Brooks wrote:
And in regards to protecting from sql injections, using ns_dbquote
and the binding emulation both seem like they'd do the trick.
If a user types in NULL and you call ns_dbquote, you'll get 'NULL'.
Just as with the binding emulation.
The only w
On Dec 6, 2009, at 1:49 PM, Tom Jackson wrote:
The "requirement" is the ability to handle both the empty string and
NULL.
Personally I like the Oracle behavior.
I mean, hell, there's even a daily WTF post about it:
http://forums.thedailywtf.com/forums/p/1225/26879.aspx
(in which many re
On Dec 6, 2009, at 1:49 PM, Tom Jackson wrote:
The "requirement" is the ability to handle both the empty string and
NULL.
Personally I like the Oracle behavior.
I mean ... it might help if you actually *knew* the Oracle behavior
before posting an opinion, positive or negative, about it.
On Dec 6, 2009, at 1:49 PM, Tom Jackson wrote:cle in general).
The "requirement" is the ability to handle both the empty string and
NULL.
Personally I like the Oracle behavior.
Seeing as the empty string is equivalent to NULL in Oracle, this is
one of the stupidest statements I've ever s
And in regards to protecting from sql injections, using ns_dbquote and
the binding emulation both seem like they'd do the trick. If your bind
variable or quoted variable contains something like NULL or a bit of SQL
or a special column like the postgres equivalent of "sysdate" which is
slipping
Personally I like the Oracle behavior.
Man, I hate it. See code at the end of this email.
Why is it that you can't get "out" what you put "in"? 'is null' doesn't
make a lot of sense to me to begin with (please, just accept test=NULL!)
but the fact that oracle turns my '' into a null means t
On Sat, Dec 5, 2009 at 6:01 PM, Don Baccus wrote:
> On Dec 5, 2009, at 5:13 PM, Tom Jackson wrote:
>>
>> Tcl can write a query string which uses the keyword NULL.
>> Unfortunately the simple (but very nice and also safe) bind variable
>> concept doesn't handle this common requirement.
>
> You've g
On Dec 5, 2009, at 5:13 PM, Tom Jackson wrote:
On Sat, Dec 5, 2009 at 8:37 AM, Don Baccus
wrote:
On Dec 4, 2009, at 12:03 PM, Tom Jackson wrote:
The problem remains for other databases using the ns_db APIs. The
quoting examples are general, but don't always work.
The person's using PG so
On Dec 5, 2009, at 5:13 PM, Tom Jackson wrote:
Really? The title of the post says AOLserver is vulnerable.
No, it says ..." [AOLSERVER] Is this vulnerable to sql injection?"
"[AOLSERVER]" is the name of this mailing list, not the antecedent of
"this".
"
On Sat, Dec 5, 2009 at 8:37 AM, Don Baccus wrote:
> On Dec 4, 2009, at 12:03 PM, Tom Jackson wrote:
>>
>> The problem remains for other databases using the ns_db APIs. The
>> quoting examples are general, but don't always work.
>
> The person's using PG so a PG-specific solution solves the problem
OK, I tried it, and you're right, I stand corrected. I seemed to recall
it operating differently.
Rusty
Don Baccus wrote:
On Dec 5, 2009, at 10:34 AM, Rusty Brooks wrote:
I'm not sure what would happen if you had actual binding, like the
oracle driver and did this
If you want to learn h
On Dec 5, 2009, at 10:34 AM, Rusty Brooks wrote:
I'm not sure what would happen if you had actual binding, like the
oracle driver and did this
If you want to learn how Oracle bind variables work, the Oracle
documentation is online ...
set val NULL
set sql "update mytable set mycolumn=
Tcl doesn't implement the null concept. 'set foo ""' sets foo to the
empty string, not null.
Right but there's a big difference between this
set val NULL
set sql "update mytable set mycolumn=$val"
and this
set val NULL
set sql "update mytable set mycolumn=[ns_quotedb $val]"
I'm not sure wha
On Dec 4, 2009, at 12:03 PM, Tom Jackson wrote:
The problem remains for other databases using the ns_db APIs. The
quoting examples are general, but don't always work.
The person's using PG so a PG-specific solution solves the problem.
No reason to make this more complex when a simple solution
On Fri, Dec 4, 2009 at 10:56 AM, Don Baccus wrote:
> On Dec 4, 2009, at 10:29 AM, Jeff Rogers wrote:
>>
>> Unfortunately the postgres driver doesn't protect against against dml
>> injection.
>
> The bind variable emulation does. It essentially does the quoting that an
> earlier poster recommended
On Dec 4, 2009, at 3:15 PM, iuri de araujo sampaio wrote:
reading the last discussion ...
aside the magic words from Don to just change $id to :id that would
solve the issue
and the nice and very conceptual answer from jeff i tried to play a
bit in attempt to understand and and practice the
reading the last discussion ...
aside the magic words from Don to just change $id to :id that would
solve the issue
and the nice and very conceptual answer from jeff
i tried to play a bit in attempt to understand and and practice the
sqlinjection stuff
I tried to run the following tcl script
On Dec 4, 2009, at 10:29 AM, Jeff Rogers wrote:
Unfortunately the postgres driver doesn't protect against against
dml injection.
The bind variable emulation does. It essentially does the quoting
that an earlier poster recommended one do manually.
No muss, no fuss...
Don Baccus
htt
The short answer is yes, it might be vulnerable; it depends on what
scrubbing you do of your input data.
The good news it that it's also fairly easy to fix. If you're using
openacs then there's already a set of tools
(check_for_form_variable_naughtiness) for checking what is being passed
int
On 12/4/09 11:00 AM, bthj wrote:
> set sql_query "select * from sometable where entrynumber = $id"
Replace $id with [ns_dbquotevalue $id] instead.
--
Dossy Shiobara | do...@panoptic.com | http://dossy.org/
Panoptic Computer Network | http://panoptic.com/
"He realized the fastest
On Dec 4, 2009, at 8:00 AM, bthj wrote:
In a previous discussion thread here ("ns_db and bind variable
support") I see "ns_db prepare..." mentioned. Is that a safer way to
perform db queries in adp pages?
Just use the bind variable emulation ... select * from foo where id
= :id rather tha
> I've been alerted that a site I maintain, running on AOLserver 4.5.0
> using the nspostgres driver, may be vulnerable to sql injection.
>
> A typical adp page performs a query like this:
>
> set sql_query "select * from sometable where entrynumber = $id"
>
> In a previous discussion thread her
Hi,
I've been alerted that a site I maintain, running on AOLserver 4.5.0
using the nspostgres driver, may be vulnerable to sql injection.
A typical adp page performs a query like this:
set sql_query "select * from sometable where entrynumber = $id"
set db [ns_db gethandle]
set selection [ns_db s
28 matches
Mail list logo