Boost :

Date view	Thread view	Subject view	Author view

From: Ruben Perez (rubenperez038_at_[hidden])
Date: 2022-05-13 16:48:03

Next message: Ruben Perez: "Re: Review of Boost.MySql"
Previous message: Phil Endecott: "Re: MySql review"
Maybe in reply to: Richard Hodges: "Re: Review of Boost.MySql"
Next in thread: Ruben Perez: "Re: Review of Boost.MySql"

> >
> > I was just imagining users concatenating queries. May be a misconception,
> > yours is a legitimate use case.
>
> I've thought more about this, and I'm guessing you were thinking
> about this XKCD https://xkcd.com/327/ SQL Injection.

Yes, this was definitely what I was thinking of ;)

>
> The proper and ideal remedy is not the XKCD one though,
> it is using prepared statements and binding values.
>
> The still proper but less ideal next remedy is a "safe" way to concatenate
> user inputs into textual SQL. I.e. the equivalent of
> SQLite: https://www.sqlite.org/printf.html with %q and %Q
> PostgreSQL: https://www.postgresql.org/docs/current/libpq-exec.html#LIBPQ-PQESCAPELITERAL
> Since you want to avoid the MySQL client, which I suppose has this
> too, you have to provide your own.

Since not everything can be done with prepared statements
(I've been shown some legitimate use cases that are not
covered), I've raised https://github.com/anarthal/mysql/issues/69
to address this, and I will likely implement something like this.

>
> Third and finally, this XKCD hack indeed does only work is one can
> execute several semi-colon separated statements.
> So on second thought, it is *definitely* be a good thing to have
> separate APIs, to execute single statement, as opposed from executing
> "scripts" of statements, plural. With a single-statement API, *even*
> the XKCD hack won't work, since it would yield an invalid single
> statement.
> This is what you had in mind IMHO :).

The trouble with this is that multi-statement is not a separate protocol
primitive, but rather something you turn on or off for the entire session.
So your connections either support it or don't. If you include such a semicolon
separated set of queries in your query request, and this capability is turned
on, the server will happily execute it. So maybe this should be implemented
as an extra value in connection_params
(https://anarthal.github.io/mysql/mysql/connparams.html)
with adequate security warnings.

Next message: Ruben Perez: "Re: Review of Boost.MySql"
Previous message: Phil Endecott: "Re: MySql review"
Maybe in reply to: Richard Hodges: "Re: Review of Boost.MySql"
Next in thread: Ruben Perez: "Re: Review of Boost.MySql"

Date view	Thread view	Subject view	Author view

Boost list run by bdawes at acm.org, gregod at cs.rpi.edu, cpdaniel at pacbell.net, john at johnmaddock.co.uk