manifoldcf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Muir <rcm...@gmail.com>
Subject Re: Release?
Date Tue, 07 Dec 2010 13:00:04 GMT
On Mon, Dec 6, 2010 at 7:45 PM, Karl Wright <daddywri@gmail.com> wrote:

> Since quoteSQLString uses ' as it's quotation mark, and properly
> escapes ' characters within the string, I claim that the method is
> properly written and cannot be used for a sql attack.  If you
> disagree, provide me a string that "breaks" the escaping that it does.

Just so you know Karl, security issues shouldn't be treated like 'regular bugs'.
Users/developers shouldnt need to write 'test cases' when code is
obviously insecure, we should instead write code securely, and specify
parameters as parameters so that we know they aren't going to be
interpreted as syntax.

That being said, my examples were just fine, examples. For postgresql
an example problem is that ' can also be escaped with a \.
(http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html)
Thus, in some situations its possible for me to bypass your escaping
by using the sequence \', which you will escape into \'', giving me an
unescaped single quote.

This is just *an example*, as i said before to demonstrate why
escaping is dangerous, I'm not going to go back-and-forth with you on
this as to whether or not manifoldcf has a problem in any particular
circumstances.

Someone motivated will always bypass escaping.
We should make parameters, parameters.

Mime
View raw message