Skip to content
This repository has been archived by the owner on Oct 6, 2019. It is now read-only.
Permalink
Browse files Browse the repository at this point in the history
Sanity checking column names in [p5.mysql.load-from]
To avoid a maliciously malformed CSV file from creating SQL injection …
  • Loading branch information
Thomas Hansen committed Jun 6, 2018
1 parent 4361a1d commit c179a3d
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions plugins/extras/p5.mysql/NonQuery.cs
Expand Up @@ -162,11 +162,17 @@ record = csv.Read ();
* Helper for above.
*/
private static string CreateInsertSQL (string table, Dictionary<string, MySqlDbType> types, string [] headers)
{
{
// Creating our reused insert SQL command text.
var insertSql = string.Format ("insert into `{0}` (", table);
var first = true;
foreach (var idxHeader in headers) {
foreach (var idxHeader in headers) {

// Sanity checking column name
foreach (var idxChar in idxHeader) {
if ("0123456789_-abcdefghijklmnopqrstuvwxyz".IndexOf (idxChar.ToString ().ToLower (CultureInfo.InvariantCulture), StringComparison.InvariantCulture) == -1)
throw new System.Security.SecurityException ("Unsupported and insecure column name found in your CSV file.");
}

// Skipping TIMESTAMP columns.
if (types [idxHeader] == MySqlDbType.Timestamp)
Expand Down

0 comments on commit c179a3d

Please sign in to comment.