[Devel] Re: [Users] avpops: new function avp_db_query()

Klaus Darilion klaus.mailinglists at pernau.at
Mon Feb 20 14:19:55 CET 2006 

Daniel-Constantin Mierla wrote:
> Hello Klaus,
> 
> On 02/20/06 12:31, Klaus Darilion wrote:
>> Daniel-Constantin Mierla wrote:
>>> Hello Klaus,
>>>
>>> On 02/17/06 14:59, Klaus Darilion wrote:
>>>> Is the query SQL-injection save?
>>> Depending of what you do and how :-). Authenticating the user should 
>>> prevent bad values in From header and credentials, some character 
>>> sequences are not allowed to be part of user or domain names. Using 
>>> values from custom headers is quite risky, you have to use other 
>>> technics to ensure a trusted value. So, I am sure that someone can 
>>> get some examples of doing sql-injections even without using 
>>> avp_db_query() , there are many other modules doing SQL queries using 
>>> parts of SIP message, but these situations can be avoided if you know 
>>> what you are doing in the script. I do not know a technique to 
>>> prevent 100% SQL-injections, are you aware of?
>>
>> AFAIK there are 2 ways to prevent SQL injection.
>> 1. quoting and escaping
>> 2. Do not provide the user input in the SQL query, but explicit as 
>> parameter. This way, the DB client library prevents SQL injection.
>>
>> I've checked the postgresql module, which supports both version. If 
>> "params" are defined, the safe version is used. But, when raw queries 
>> are used, there is no protection through the API, thus, checks must 
>> done before. Does this query work?
>>
>>   if (avp_subst("s:foo","/\"//")) {
>>     sl_send_reply("403","bad syntax");
>>   }
> I am not sure I got what you want to achieve with this statement. Do you 
> want to forbid messages which have quotes or some other "dangerous" 
> characters in some pseudo-variables? Or you want to escape the quotes?
> 
> You can do quoting and escaping from the script, as you already 
> mentioned, using avp_subst(). Checks for special characters like quotes 
> or double dash can be done via avp_check().

I didn't found out how to use avp_check thus I used avp_subst.

regards
klaus

> 
> Cheers,
> Daniel
> 
>>
>>
>> regards
>> klaus
>>

More information about the Devel mailing list