Pickling over a socket

Chris Angelico rosuav at gmail.com
Wed Apr 20 11:26:44 CEST 2011


On Wed, Apr 20, 2011 at 7:17 PM, Bastian Ballmann <balle at chaostal.de> wrote:
> Well you forgot to escape ; and \ but this seems to slide into OT ;)

The semicolon doesn't need to be escaped in a quoted string, and the
backslash does only if it's the escape character. The
string-safetifier function that I used with DB2 was called "dblapos"
because it simply doubled every apostrophe - nothing else needed. On
the other hand, mysql_real_escape_string will escape quite a few
characters, for convenience in reading dumps.

> Am Wed, 20 Apr 2011 18:43:01 +1000
> schrieb Chris Angelico <rosuav at gmail.com>:
>
>> So, like Jean-Paul said, you simply do not trust anything that comes
>> from the network. Ever.
>
> If you generalize it in this way you should never trust any user input
> regardless if it comes from the net or from local or the environment
> etc.

Yes, but the other half of the issue is that you have to treat
anything that comes over the network as "user input", even if you
think it's from your own program that you control.

>> Urrrm. You can "own" a "complete computer" with SQL injection? Then
>> someone has some seriously weak protection.
>
> Yes and the database is poorly protected, but this happens way too
> often.

That's just *sad*.

>> SQL injection is easier to
>> protect against than buffer overruns, and with a lot of function
>> libraries
>
> I totally disagree. Buffer overflow is just a matter of size checking,
> but sql injection is a matter of syntax. It's more than just throwing
> the input into a magic auto-escape function.

Buffer overruns can happen in all sorts of places; SQL injection can
only happen where you talk to the database. And it IS just a matter of
using a magic auto-escape function, if your library is set up right -
unless, of course, you allow your users to submit SQL themselves (eg a
WHERE clause). That's almost impossible to sanitize, which is why I
would never EVER allow such a thing unless it's actually a trusted
environment (eg PHPMyAdmin - anyone who has access to PMA has access
to the database anyway).

> We both agree that one should never trust user input blindly and we also
> seem to conform to one can use user input in a appropriate way that's
> not the case, but if i read your mail i think you want to tell me one
> should never ever use the internet or only write programs without user
> input at all.

Not at all; just never *trust* user input. Where thou typest foo,
someone someday will type...

ChrisA



More information about the Python-list mailing list