Thank you Niphlod.
I've seen that db.executesql receives the "placeholders" argument in order
to do the escaping.
I've modified my code to this:
def search():
results = db.executesql('SELECT * FROM contenido WHERE tsv @@
plainto_tsquery(%s)', placeholders=[request.vars.q])
return dict(results=results)
*Can you confirm that this is the proper way to do it? *
I couldn't find much documentation about that, just this:
- http://web2py.com/books/default/chapter/29/6#executesql
-
https://groups.google.com/forum/#!searchin/web2py/executesql$20placeholders$20escape%7Csort:relevance/web2py/kblhrTsVW6M/2vJ_afgty34J
Thanks in advance!
El martes, 13 de septiembre de 2016, 6:51:55 (UTC-3), Niphlod escribió:
>
> app/controller/function&q=everythingyoucanthinkof .
>
> NEVER . EVER. EVER. build queries without proper escaping.
>
> On Monday, September 12, 2016 at 3:12:50 PM UTC+2, Lisandro wrote:
>>
>> Hi there!
>> I have a simple view with a form (with GET method), in order to allow my
>> visitors to do some search.
>> The controller/function that processes the get is this:
>>
>> def search():
>> session.forget(response)
>> query = "tsv @@ plainto_tsquery('%s')" % request.vars.q
>> total = db.executesql('SELECT COUNT(*) FROM contenido WHERE %s' %
>> query)
>> results = db(query).select()
>> return dict(results=results)
>>
>> As you can see, I use a tsv field to implement postgresql full text
>> search. The funcion is working ok.
>> But *yesterday, I had an attack attempt*, or something like that. In
>> just one hour, some robot sent a lot of queries to that URL, putting
>> "garbage" in the "q" parameter.
>>
>> How did I notice that? Well, *in just one hour around 500 error tickets
>> were created* in the /errors folder. All the errors have this form:
>>
>> - unterminated quoted string at or near
>> "'../../../../../../../../../../windows/win.ini" LINE 1: ...tsv @@
>> plainto_tsquery('../../../... ^
>> - unterminated quoted string at or near
>> "'1some_inexistent_file_with_long_name" LINE 1: ...tsv @@
>> plainto_tsquery('1some_ine... ^
>> - unterminated quoted string at or near
>> "'../../../../../../../../../../etc/passwd" LINE 1: ...tsv @@
>> plainto_tsquery('../../../... ^
>> - invalid byte sequence for encoding "UTF8": 0xf0 0x20 0x20 0xf0
>> - invalid byte sequence for encoding "UTF8": 0xf6 0x22 0x20 0x6f
>> - invalid byte sequence for encoding "UTF8": 0xa0
>>
>>
>> *I've already tried to use the search form with those query strings, but
>> I cannot reproduce the error.*
>> *How could the robot send those bytes to the query function?*
>>
>> Of course I can add a try: except: block, however I was wondering how to
>> reproduce the error, I wasn't able to do it.
>> Any help will be appreciated.
>>
>> Thanks in advance!
>> Regards,
>> Lisandro.
>>
>
--
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
---
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
