[Users] Openser and Oracle

Papadopoulos Georgios geop at altectelecoms.gr
Wed Mar 14 14:40:37 CET 2007 

I see what you mean. However, how is this avoided if you use query()
instead of raw_query()? Function query() will also write the same string
as the value of the User-Agent column. Both functions will construct the
same query and at the end they will call submit_query(). No?

best regards

George

> -----Original Message-----
> From: Klaus Darilion [mailto:klaus.mailinglists at pernau.at] 
> Sent: Wednesday, March 14, 2007 2:28 PM
> To: Papadopoulos Georgios
> Cc: users at openser.org
> Subject: Re: [Users] Openser and Oracle
> 
> Papadopoulos Georgios wrote:
> > What do you mean by "SQL injection"? I know it is not a pretty 
> > solution (especially changing the code) but I cannot think 
> of an alternative.
> 
> 
> Just an example. The save() function writes the User-Agent 
> header into the DB. If the usrloc would use a raw SQL query, 
> and the User-Agent header would be something like
> User-Agent: foobar'; delete from subscriber; '
> 
> then the delete query would be executed. This is an SQL injection.
> 
> regards
> klaus
> 
> > 
> > I can look into SER's oracle module. But that would mean 
> that in the 
> > where clauses all string values should be surounded with 
> "upper". Not 
> > a pretty solution either but it would work I guess.
> > 
> > I briefly saw that Openser 1.2 has string transformations. So could 
> > uppercase and lowercase be included there? I am picturing something 
> > like avp_db_load("$ruri{s.lowercase}", ...) Of course this 
> would only 
> > solve the issue with avpops. In order to solve the issue 
> with auth_db 
> > for example, wouldn't we need new functions?
> > 
> > Any comments about the multiple connections to the DB? 
> > 
> > 
> >> -----Original Message-----
> >> From: Klaus Darilion [mailto:klaus.mailinglists at pernau.at]
> >> Sent: Wednesday, March 14, 2007 12:59 PM
> >> To: Papadopoulos Georgios
> >> Cc: users at openser.org
> >> Subject: Re: [Users] Openser and Oracle
> >>
> >> Papadopoulos Georgios wrote:
> >>> Hello,
> >>>  
> >>> First of all congratulations to everyone involved in the
> >> new release. 
> >>> I haven't been able to get my hands on it yet, but just
> >> reading about
> >>> it makes me very excited. Great job!
> >>>  
> >>> I would like to address the issue of Openser and Oracle working 
> >>> together. We are currently using Openser with a local
> >> MySQL. Our main
> >>> database is Oracle and we are just copying data to MySQL so that 
> >>> Openser can work. This is a little difficult to maintain so
> >> I thought
> >>> I would try to make Openser use directly our Oracle. Of
> >> course I ran
> >>> into a number of issues.
> >>> 1. modules/acc and unixodbc. The acc_db_request() was not working 
> >>> because inserting a string in a date column does not work
> >> with Oracle.
> >>> So, I had to change functions time2str() and time2odbc() in
> >> order to
> >>> make this work. Also had to change acc.c to treat column time as 
> >>> DB_TIME instead of DB_STR (I think this could be treated 
> as a bug).
> >>> 2. modules/lcr. The query uses char_length() and rand()
> >> which I had to
> >>> replace with lengthc() and dbms_random.value. Should these
> >> be modules
> >>> params?
> >> Hi!
> >>
> >> I guess oracle allows the defintion of new function. Then 
> you could 
> >> write the functions char_length() and rand() which would be just 
> >> wrappers to lengthc() and dbms_random.value.
> >>
> >>> 3. modules/avpops. All issues were resolved by config changes and 
> >>> replacing avp_db_load() with avp_db_query().
> >> Be careful - raw queries are vulnerable to SQL injection!!!
> >>
> >>> 4. modules/auth_db, alias_db, uri_db, group. Since MySQL is case 
> >>> insensitive and Oracle is not, I made changes in the code to use
> >>> raw_query() instead of query(). All queries have to be in 
> the form 
> >>> "select ... from ... where username=upper(...)"
> >> Again: Be careful - raw queries are vulnerable to SQL injection!!!
> >>>  
> >>> I would be happy to provide patches and help in any way 
> in order to 
> >>> make this migration easier in the future. However I am not sure 
> >>> whether my changes are general enough for everybody to use.
> >> So, do you
> >>> have any suggestions about how to deal with these issues?
> >> There is a oracle module in ser - you could port it to openser ;-)
> >>
> >> regards
> >> klaus
> >>
> >>> Another issue that came up is the number of connections
> >> from Openser
> >>> to the database. In our case, listening to five interfaces,
> >> with tcp
> >>> disabled and children=5, we get 28 connections to DB which
> >> is a great
> >>> waste of resources. From those five interfaces, one is
> >> receiving the
> >>> bulk of traffic and the rest receive minimal traffic. Since
> >> each child
> >>> has its own connection, then what is the purpose of
> >> connection pooling?
> >>> How difficult would it be to have a common connection 
> pool for all 
> >>> children?
> >>>  
> >>> sorry for the long email and thank you in advance for any answer.
> >>>  
> >>> George
> >>>  
> >>>  
> >>>  
> >>>  
> >>>
> >>> Disclaimer
> >>> The information in this e-mail and any attachments is
> >> confidential. It is intended solely for the attention and 
> use of the 
> >> named addressee(s). If you are not the intended recipient, 
> or person 
> >> responsible for delivering this information to the intended 
> >> recipient, please notify the sender immediately. Unless 
> you are the 
> >> intended recipient or his/her representative you are not 
> authorized 
> >> to, and must not, read, copy, distribute, use or retain 
> this message 
> >> or any part of it. E-mail transmission cannot be guaranteed to be 
> >> secure or error-free as information could be intercepted, 
> corrupted, 
> >> lost, destroyed, arrive late or incomplete, or contain viruses.
> >>>
> >>>
> >>>
> >>>
> >> 
> ---------------------------------------------------------------------
> >> -
> >>> --
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at openser.org
> >>> http://openser.org/cgi-bin/mailman/listinfo/users
> >>
> >> --
> >> Klaus Darilion
> >> nic.at
> >>
> >>
> 
> 
> --
> Klaus Darilion
> nic.at
> 
>

More information about the sr-users mailing list