Re: quoting pains

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MPatrick Fleming, EA at <-
MCraig White at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
Delete this message
Reply to this message
Author: Joseph Sinclair
Date:  
To: plug-discuss
Subject: Re: quoting pains
2 items:
1) Unless your platform forces it, don't build SQL strings anywhere.
SQL should be static strings using bind variables (also known as
prepared statements, look it up in the reference for the SQL interface
you're using). Dynamic SQL is susceptible to SQL injection, and makes
the entire site difficult to maintain and simultaneously easy to break
(both from a cracker standpoint, and from a maintenance standpoint).

2) To pass quoted strings in (X)HTML, you have to escape the quotes.
(X)HTML escapes characters differently from most programming languages,
and you have to follow it's rules. The mistake in your code is that
you're trying to use PHP escapes in HTML text, and that won't work,
since HTML doesn't consider the [\] character an escape character in
attribute content.
As an example, here's your string escaped for (X)HTML:
"SELECT * from horde_datatree WHERE user_uid = &quot;jennifer&quot; AND
(group_uid = &apos;horde.shares.kronolith&apos; OR group_uid =
&apos;horde.shares.nag&apos; OR group_uid = &apos;horde.shares.imp&apos;
OR group_uid = &apos;horde.shares.turba&apos; OR group_uid =
&apos;horde.shares.mnemo&apos;)"

Note: &quot; is used for ["] and &apos; is used for [']. Other
character references may be inserted as needed, the full list is
available at (www.w3.org). For characters without a defined entity, the
Unicode escape (&#NNNN; where NNNN is the decimal Unicode character
value) may also be used. the full details of character escaping in XML
and HTML are found in the specs available at (www.w3.org).

Many languages have open source libraries available to escape the
characters in a string for XML/HTML, check around to see if there's one
for your application.

==Joseph++

Craig White wrote:

>On Mon, 2005-03-21 at 20:19 -0500, wrote:
>
>
>>On Mon, 21 Mar 2005, Craig White wrote:
>>
>>
>>>I have a problem with quoting strings
>>>
>>>
>><snip>
>>
>>
>>>which when POSTed - results in...
>>>
>>>
>>AH! Don't pass an SQL query as a variable to a webpage. That means, if
>>someone figures out what you're doing they can query anything in your
>>database. They could post any SQL query that they wanted. Unless this
>>is a very internal site, or you're somehow validating that string, you
>>should change the way you're approaching this problem.
>>
>>
>>
>----
>thanks for the advice - I suppose that I could pass the variables that I
>used to identify/define the search itself, I could probably 'rebuild'
>the string on the target - but this is in essence internal, it carries
>no credentials, only the search string via a unix socket so I am not so
>fearful.
>
>Fields and values wouldn't be that hard to deduce - GPL software / known
>users.
>
>Craig
>
>---------------------------------------------------
>PLUG-discuss mailing list -
>To subscribe, unsubscribe, or to change you mail settings:
>http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
>
>
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Finally posted presentations!Re: quoting pains->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)