Why Is Escaping Data Considered So Magical?
Jorgen Grahn
grahn+nntp at snipabacken.se
Fri Jun 25 08:15:08 EDT 2010
On Fri, 2010-06-25, Lawrence D'Oliveiro wrote:
> Just been reading this article
> <http://www.theregister.co.uk/2010/06/23/xxs_sql_injection_attacks_testing_remedy/>
> which says that a lot of security holes are arising these days because
> everybody is concentrating on unit testing of their own particular
> components, with less attention being devoted to overall integration
> testing.
I don't do SQL and I don't even understand the terminology properly
... but the discussion around it bothers me.
Do those people really do this?
- accept untrusted user data
- try to sanitize the data (escaping certain characters etc)
- turn this data into executable code (SQL)
- executing it
Like the example in the article
SELECT * FROM hotels WHERE city = '<untrusted>';
If so, its isomorphic with doing os.popen('zcat -f %s' % untrusted)
in Python (at least on Unix, where 'zcat ...' is executed as a shell
script).
I thought it was well-known that the solution is *not* to try to
sanitize the input -- it's to switch to an interface which doesn't
involve generating an intermediate executable. In the Python example,
that would be something like os.popen2(['zcat', '-f', '--', untrusted]).
Am I missing something? If not, I can go back to sleep -- and keep
avoiding SQL and web programming like the plague until that community
has entered the 21st century.
/Jorgen
--
// Jorgen Grahn <grahn@ Oo o. . .
\X/ snipabacken.se> O o .
More information about the Python-list
mailing list