You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The reason will be displayed to describe this comment to others. Learn more.
Should we use query parameters/substitution variables instead? Since otherwise we would need to anticipate all special characters, right? (disclaimer: Not my area of expertise)
The reason will be displayed to describe this comment to others. Learn more.
Maybe something like changing:
cursor.execute(f"SELECT term FROM terms WHERE term > \"{floor}\" AND term < \"{ceiling}\" AND term LIKE \"{word}%%\" ORDER BY length(term),term LIMIT {requested_limit}")
to
cursor.execute("SELECT term FROM terms WHERE term > %(floor)s AND term < %(ceiling)s AND term LIKE %(word)s ORDER BY length(term),term LIMIT %(requested_limit)d", {'floor': floor, 'ceiling': ceiling, 'word': word, 'requested_limit': requested_limit)
that way types are respected. My VM is borked atm, otherwise I would test this out
The reason will be displayed to describe this comment to others. Learn more.
I don't really know for sure, but don't think your proposal solves the problem. I think it would be just as vulnerable to the exploit. But I am not certain. Using prepared statements is likely the safest way to do this. But I think stripping out all " characters renders it safe, too. I should do some more testing.
The reason will be displayed to describe this comment to others. Learn more.
Good discussion. Yes, prepared statements are generally described as protecting against SQL injection but of course, would need to be tested in the context of a specific library and query.
fa2797eThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use query parameters/substitution variables instead? Since otherwise we would need to anticipate all special characters, right? (disclaimer: Not my area of expertise)
fa2797eThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe something like changing:
to
that way types are respected. My VM is borked atm, otherwise I would test this out
fa2797eThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really know for sure, but don't think your proposal solves the problem. I think it would be just as vulnerable to the exploit. But I am not certain. Using prepared statements is likely the safest way to do this. But I think stripping out all " characters renders it safe, too. I should do some more testing.
fa2797eThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good discussion. Yes, prepared statements are generally described as protecting against SQL injection but of course, would need to be tested in the context of a specific library and query.