[Devel] Re: [Users] avpops: new function avp_db_query()

Klaus Darilion klaus.mailinglists at pernau.at
Mon Feb 20 11:31:41 CET 2006


Daniel-Constantin Mierla wrote:
> Hello Klaus,
> 
> On 02/17/06 14:59, Klaus Darilion wrote:
>> Is the query SQL-injection save?
> Depending of what you do and how :-). Authenticating the user should 
> prevent bad values in From header and credentials, some character 
> sequences are not allowed to be part of user or domain names. Using 
> values from custom headers is quite risky, you have to use other 
> technics to ensure a trusted value. So, I am sure that someone can get 
> some examples of doing sql-injections even without using avp_db_query() 
> , there are many other modules doing SQL queries using parts of SIP 
> message, but these situations can be avoided if you know what you are 
> doing in the script. I do not know a technique to prevent 100% 
> SQL-injections, are you aware of?

AFAIK there are 2 ways to prevent SQL injection.
1. quoting and escaping
2. Do not provide the user input in the SQL query, but explicit as 
parameter. This way, the DB client library prevents SQL injection.

I've checked the postgresql module, which supports both version. If 
"params" are defined, the safe version is used. But, when raw queries 
are used, there is no protection through the API, thus, checks must done 
before. Does this query work?

   if (avp_subst("s:foo","/\"//")) {
     sl_send_reply("403","bad syntax");
   }


regards
klaus



More information about the Devel mailing list