[Users] avpops: new function avp_db_query()
Klaus Darilion
klaus.mailinglists at pernau.at
Mon Feb 20 14:19:55 CET 2006
Daniel-Constantin Mierla wrote:
> Hello Klaus,
>
> On 02/20/06 12:31, Klaus Darilion wrote:
>> Daniel-Constantin Mierla wrote:
>>> Hello Klaus,
>>>
>>> On 02/17/06 14:59, Klaus Darilion wrote:
>>>> Is the query SQL-injection save?
>>> Depending of what you do and how :-). Authenticating the user should
>>> prevent bad values in From header and credentials, some character
>>> sequences are not allowed to be part of user or domain names. Using
>>> values from custom headers is quite risky, you have to use other
>>> technics to ensure a trusted value. So, I am sure that someone can
>>> get some examples of doing sql-injections even without using
>>> avp_db_query() , there are many other modules doing SQL queries using
>>> parts of SIP message, but these situations can be avoided if you know
>>> what you are doing in the script. I do not know a technique to
>>> prevent 100% SQL-injections, are you aware of?
>>
>> AFAIK there are 2 ways to prevent SQL injection.
>> 1. quoting and escaping
>> 2. Do not provide the user input in the SQL query, but explicit as
>> parameter. This way, the DB client library prevents SQL injection.
>>
>> I've checked the postgresql module, which supports both version. If
>> "params" are defined, the safe version is used. But, when raw queries
>> are used, there is no protection through the API, thus, checks must
>> done before. Does this query work?
>>
>> if (avp_subst("s:foo","/\"//")) {
>> sl_send_reply("403","bad syntax");
>> }
> I am not sure I got what you want to achieve with this statement. Do you
> want to forbid messages which have quotes or some other "dangerous"
> characters in some pseudo-variables? Or you want to escape the quotes?
>
> You can do quoting and escaping from the script, as you already
> mentioned, using avp_subst(). Checks for special characters like quotes
> or double dash can be done via avp_check().
I didn't found out how to use avp_check thus I used avp_subst.
regards
klaus
>
> Cheers,
> Daniel
>
>>
>>
>> regards
>> klaus
>>
More information about the Users
mailing list