[Devel] Re: [Users] avpops: new function avp_db_query()

[Daniel-Constantin Mierla]

Hello Klaus,

On 02/20/06 12:31, Klaus Darilion wrote:
> Daniel-Constantin Mierla wrote:
>> Hello Klaus,
>>
>> On 02/17/06 14:59, Klaus Darilion wrote:
>>> Is the query SQL-injection save?
>> Depending of what you do and how :-). Authenticating the user should 
>> prevent bad values in From header and credentials, some character 
>> sequences are not allowed to be part of user or domain names. Using 
>> values from custom headers is quite risky, you have to use other 
>> technics to ensure a trusted value. So, I am sure that someone can 
>> get some examples of doing sql-injections even without using 
>> avp_db_query() , there are many other modules doing SQL queries using 
>> parts of SIP message, but these situations can be avoided if you know 
>> what you are doing in the script. I do not know a technique to 
>> prevent 100% SQL-injections, are you aware of?
>
> AFAIK there are 2 ways to prevent SQL injection.
> 1. quoting and escaping
> 2. Do not provide the user input in the SQL query, but explicit as 
> parameter. This way, the DB client library prevents SQL injection.
>
> I've checked the postgresql module, which supports both version. If 
> "params" are defined, the safe version is used. But, when raw queries 
> are used, there is no protection through the API, thus, checks must 
> done before. Does this query work?
>
>   if (avp_subst("s:foo","/\"//")) {
>     sl_send_reply("403","bad syntax");
>   }
I am not sure I got what you want to achieve with this statement. Do you 
want to forbid messages which have quotes or some other "dangerous" 
characters in some pseudo-variables? Or you want to escape the quotes?

You can do quoting and escaping from the script, as you already 
mentioned, using avp_subst(). Checks for special characters like quotes 
or double dash can be done via avp_check().

Cheers,
Daniel

>
>
> regards
> klaus
>