guile-user
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SQL injection with guile-pg


From: Thien-Thi Nguyen
Subject: Re: SQL injection with guile-pg
Date: Fri, 11 Feb 2005 11:45:29 +0100

   From: Greg Troxel <address@hidden>
   Date: Thu, 06 Jan 2005 11:52:29 -0500

   It would be nice, though, to have sql-quote as a user-accessible
   procedure.

in cvs there is a new module (database postgres-qcons) for "query
construction" which exposes `sql-quote'.

at the moment, i'm mulling over what else to add to that module.

ideally we would follow the design of SchemeQL by Francisco Solsona, but
my macro-fu is not yet up the task, so for now i'm considering providing
plain procedures that address pieces of the problem, learning from those
(mis-)steps, and revisiting the all-singing all-dancing macro approach
later.

this is, btw, in contrast to the design methodology for the single-table
abstraction, which went for the throat early on and now shows scaling
problems in the type converters (explained in the info page in cvs).  i
understood that single-table abstraction is a specialized application of
schema (in the database sense) mirroring (in the LAML sense), but did
not understand how to avoid the need for backtracking at that time...

     use bound parameters, so that the strings aren't part of the sql
     command, but are passed as data

could you show an example of this?

     have some support to make a sql command fragment with safe/quoted
     type conversion, perhaps something like

     (sql-prep "select foo from bar where a = " (list 'text s) ";")

     where s is a string.

see `compile-outspec' (available since Guile-PG 0.17, 2004-02-02) for
foo-position munging.  parts of its analysis can be (probably will be)
generalized for where-clause use, in (database postgres-qcons).

thi




reply via email to

[Prev in Thread] Current Thread [Next in Thread]