Re: [Catacomb] dbms.c proposed changes
Thanks for your message and ideas.
It is really a trick to pass in something like "'; drop database repos;"
But it is not a problem to the mysql_query function in MySQL, because
'mysql_query' only allows a single SQL statement. So, the forged
SQL command will generate a syntax error. Whereas this trick may
be fatal to other databases. Anyway, it is a big security concern.
Thank you very much.
On Wed, 4 Sep 2002, Chris Knight wrote:
> In reviewing the code for Catacomb, I realized that there is a
> (common) security problem with the dbms.c file. namely that using
> sprintf with strings to generate SQL queries can be broken by a
> well-designed value (For example, if you manage to pass a url that
> looked something like "'; drop database repos;" the query would result
> in a valid drop database statement being executed, quite deadly! The
> best solution is to use the string escaping mechanism provided by
> MySQL's C API, but it's a bit clunky to insert into the existing code.
> This issue, coupled with my desire to connect Catacomb to other RDBMS's
> (particularly PostgreSQL) had me thinking last night about coming up
> with a more generic, JDBC-style interface. I've attached a first pass at
> a .h file for such a thing. I could probably have the code written for
> this by end-of-day today and all of the queries in dbms.c should be
> changed to use this mechanism. I'm sure there will be more functions
> (dbms_set_X) and wrappers for results retrieval.
> Sound good?
> Alternatives include libdbi.sourceforge.net (although it doesn't provide
> the automatic escaping of parameters and you can't pre-fill parameters,
> we might be able to influence the project to include such features) or
> possibly ODBC interfaces...