Menu
▾
▴
Re: [libdbi-users] libdbi and SQL Injection
|
From: Rick R. <spl...@gm...> - 2014-01-10 14:56:37
|
I am pretty sure I am using dbi_conn_queryf correctly, the code below is
actually much longer but I have shortened it to just show an example of the
issue. I have two column names, name and title, and want to read in two
string values using dbi_conn_queryf. I need to lock down the second value
being read into the DB and read it as is.
sprintf (sql_columns, "name, title");
sprintf (sql_string, "REPLACE into data (%s) VALUES (\"%s\",
\"%s\")",
sql_columns,
GET_NAME (ch),
ch->player.title ? ch->player.title : "None") );
result = dbi_conn_queryf (conn, sql_string);
I have tried the following, which I believe is on the right track but the
program crashes as soon as it gets to dbi_conn_quote_string_copy. I try to
use dbi_conn_quote_string_copy to keep the bad string locked down, and then
use dbi_conn_queryf to read the new locked down value into the db. Sadly, I
am not the greatest C coder so I am probably overlooking something
relatively simple to make this work.
char *pTitle=NULL;
char *pTitle2=NULL;
if ((ch)->player.title)
{
sprintf (pTitle, (ch)->player.title);
}
else
{
sprintf (pTitle, "None");
}
dbi_conn_quote_string_copy(conn, pTitle, &pTitle2);
sprintf (sql_columns, "name, title");
sprintf (sql_string, "REPLACE into data (%s) VALUES (\"%s\",
\"%s\")",
sql_columns,
GET_NAME (ch),
pTitle2 );
result = dbi_conn_queryf (conn, sql_string);
Thank you for any help or thoughts provided and the library!
On Fri, Jan 10, 2014 at 8:40 AM, Markus Hoenicka <
mar...@mh...> wrote:
> Am 2014-01-10 14:17, schrieb Markus Hoenicka:
>
>
>
> if I understand you correctly, you attempt to insert a value containing the string "%s Saints going down tonight!!!!!" using the libdbi function dbi_conn_queryf(). Thing is, dbi_conn_queryf() is intended to make dbi_conn_query() behave somewhat like sprintf() in that you can specify a formatting string containing placeholders like "%s", followed by parameters that are filled in. If you want to preserve the "%s" literally, you either need to escape or quote the values properly, or you should rather use dbi_conn_query() which sends the string parameter to the db engine literally. You still need to watch out for proper quoting and escaping as per the language specs of your db engine.
>
> I forgot to mention that the dbi_conn_quote_string() and dbi_conn_escape_string() functions and their relatives can do the quoting and escaping for you, please check the manual.
>
> regards,
>
> Markus
>
> --
> Markus Hoenickahttp://www.mhoenicka.de
> AQ score 38
>
>
>
> ------------------------------------------------------------------------------
> CenturyLink Cloud: The Leader in Enterprise Cloud Services.
> Learn Why More Businesses Are Choosing CenturyLink Cloud For
> Critical Workloads, Development Environments & Everything In Between.
> Get a Quote or Start a Free Trial Today.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
> _______________________________________________
> libdbi-users mailing list
> lib...@li...
> https://lists.sourceforge.net/lists/listinfo/libdbi-users
>
>
|
