New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[core] Escaping values for SQL in script raw querys #1530
Comments
Hi @ar45 - the actual purpose of |
OK, some update here. After some research, it seems that the single quote is the standard SQL way of quoting strings. Escaping them is by doubling, indeed (and not with ''). |
Hi Bogdan
Makes sense. I thought maybe it would be even better to provide
transformations through the db module and each db_api module should
implement the proper escaping according to which database connection being
used.
db_postgres would use `PQescapeLiteral()`
db_postgres would use `mysql_real_escape_string()`
The syntax could be something like {sql.escape_string,avpdb-id} where
avpdb-id is the db url reference number. this will also surround the value
with quotes, so that the user does not need to quote it manually. NULL
values a avp with no value would be transformed into sql NULL without
quotes.
That could even be taken to the next level by choosing to quote the value
based on the type of avp int or str, so only str will be surrounded by
quotes.
…--
Aron Podrigal
718-942-9990 x 221
Software Engineer
MongoTel
On Fri, Jan 4, 2019 at 7:50 AM Bogdan Andrei IANCU ***@***.***> wrote:
OK, some update here. After some research, it seems that the single quote
is the standard SQL way of quoting strings. Escaping them is by doubling,
indeed (and not with '').
While the standard/formated queries are safe in opensips (as each DB
backend is doing it's own escaping when packing the strings into the
query), the raw queries from script are not safe, so you need to do
standard SQL escaping (doubling the single quotes) - of course, this means
you need to format your query by packing the string with single quote.
Or many an {s.sql_string} transformation that will escape all the inner
single quotes and also add the wrapping quotes too.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1530 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEsfGLLZ-O1OvB9T8vaRSU49VoECAkBCks5u_1xAgaJpZM4YatgY>
.
|
Hi @ar45, |
These functions do the escaping while being aware of the database character encoding. |
Any updates here? No progress has been made in the last 15 days, marking as stale. Will close this issue if no further updates are made in the next 30 days. |
The SQL standard way to escape single quotes is by doubling them, and most databases do not recognize
\
as an escape character. And thus aren't properly escaped by postgres leaving queries vulnerable to SQL injections.From postgresql docs https://www.postgresql.org/docs/current/runtime-config-compatible.html
So the only way to have strings containing
'
escaped is by prefixing them withE'...'
The text was updated successfully, but these errors were encountered: