database quoting

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

database quoting

ddunkin

Hello. My company is currently evaluating vtiger crm for internal use. I have a small team dedicated to fixing bugs and making improvements. One thing I have noticed right away is that data is rarely if ever quoted before being put into a SQL statement. This is a huge security hole (open to SQL injection attacks), as well as an annoyance (you can’t insert data that contains a quote). Is there a reason for not quoting? If my team submitted patches that quoted everything that needed to be quoted, what would be the timeline for integration? I have noticed that quite a few code contributions have not been integrated into the product, and I want to make sure we’re not wasting our time.

 

Thanks,

Dave Dunkin

Lead Web Developer

DIS Corporation

360.647.4120

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: database quoting

Sergio A. Kessler-2
so we are all in the same page:

Dave talks about doing:

a) $db->query("insert into foo values ('$bar')");

vs.

b) $db->query('insert into foo values (?)', array($bar));


a) is a BIG security risk, because if $bar is some value from a _GET
or _POST some user can send $bar with a value of "'qwerty'); delete
from client;"

see the risk ?  your insert is executed, but the table 'client' is deleted.

meanwhile the b) procedure 'prepares' the query so all the parameters
are quoted correspondly so no harm is produced by sql-injection.


the example was PEAR:DB'ish, adodb has similar functions...

regards,
/sak

On 11/22/05, Dave Dunkin <[hidden email]> wrote:

>
>
>
> Hello. My company is currently evaluating vtiger crm for internal use. I
> have a small team dedicated to fixing bugs and making improvements. One
> thing I have noticed right away is that data is rarely if ever quoted before
> being put into a SQL statement. This is a huge security hole (open to SQL
> injection attacks), as well as an annoyance (you can't insert data that
> contains a quote). Is there a reason for not quoting? If my team submitted
> patches that quoted everything that needed to be quoted, what would be the
> timeline for integration? I have noticed that quite a few code contributions
> have not been integrated into the product, and I want to make sure we're not
> wasting our time.
>
>
>
> Thanks,
>
> Dave Dunkin
>
> Lead Web Developer
>
> DIS Corporation
>
> 360.647.4120
>
>


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
<a href="http://ads.osdn.com/?ad_idv28&alloc_id845&op=click">http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
vtigercrm-developers mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/vtigercrm-developers
Loading...