[Devel] Re: [Users] avpops: new function avp_db_query()

Daniel-Constantin Mierla daniel at voice-system.ro
Mon Feb 20 16:23:01 CET 2006 

On 02/20/06 15:19, Klaus Darilion wrote:
> Daniel-Constantin Mierla wrote:
>> Hello Klaus,
>>
>> On 02/20/06 12:31, Klaus Darilion wrote:
>>> Daniel-Constantin Mierla wrote:
>>>> Hello Klaus,
>>>>
>>>> On 02/17/06 14:59, Klaus Darilion wrote:
>>>>> Is the query SQL-injection save?
>>>> Depending of what you do and how :-). Authenticating the user 
>>>> should prevent bad values in From header and credentials, some 
>>>> character sequences are not allowed to be part of user or domain 
>>>> names. Using values from custom headers is quite risky, you have to 
>>>> use other technics to ensure a trusted value. So, I am sure that 
>>>> someone can get some examples of doing sql-injections even without 
>>>> using avp_db_query() , there are many other modules doing SQL 
>>>> queries using parts of SIP message, but these situations can be 
>>>> avoided if you know what you are doing in the script. I do not know 
>>>> a technique to prevent 100% SQL-injections, are you aware of?
>>>
>>> AFAIK there are 2 ways to prevent SQL injection.
>>> 1. quoting and escaping
>>> 2. Do not provide the user input in the SQL query, but explicit as 
>>> parameter. This way, the DB client library prevents SQL injection.
>>>
>>> I've checked the postgresql module, which supports both version. If 
>>> "params" are defined, the safe version is used. But, when raw 
>>> queries are used, there is no protection through the API, thus, 
>>> checks must done before. Does this query work?
>>>
>>>   if (avp_subst("s:foo","/\"//")) {
>>>     sl_send_reply("403","bad syntax");
>>>   }
>> I am not sure I got what you want to achieve with this statement. Do 
>> you want to forbid messages which have quotes or some other 
>> "dangerous" characters in some pseudo-variables? Or you want to 
>> escape the quotes?
>>
>> You can do quoting and escaping from the script, as you already 
>> mentioned, using avp_subst(). Checks for special characters like 
>> quotes or double dash can be done via avp_check().
>
> I didn't found out how to use avp_check thus I used avp_subst.
To perform regular expression matching you have to use the 're' operation.

avp_check("$avp(s:foo)", "re/\"/g");

Cheers,
Daniel

>
> regards
> klaus
>
>>
>> Cheers,
>> Daniel
>>
>>>
>>>
>>> regards
>>> klaus
>>>
>
>

More information about the Devel mailing list