From: Ian Kelly on
On Thu, Jun 24, 2010 at 9:38 PM, Lawrence D'Oliveiro
<ldo(a)geek-central.gen.new_zealand> wrote:
> In message <2010062422432660794-angrybaldguy(a)gmailcom>, Owen Jacobson wrote:
>> Why would I write this when SQLAlchemy, even without using its ORM
>> features, can do it for me?
> SQLAlchemy doesn’t seem very flexible. Looking at the code examples
> <>, they’re very procedural:
> build object, then do a string of separate method calls to add data to it.. I
> prefer the functional approach, as in my table-update example.

Your example from the first post of the thread rewritten using sqlalchemy:

.where(items.c.inventory_nr == modify_id)
(field[0], Params.getvalue("%s[%s]" % (field[1],
for field in [
(items.c.class_name, "modify_class"),
(items.c.make, "modify_make"),
(items.c.model, "modify_model"),
(items.c.details, "modify_details"),
(items.c.serial_nr, "modify_serial"),
(items.c.inventory_nr, "modify_invent"),
(items.c.when_purchased, "modify_when_purchased"),
... you get the idea ...
(items.c.location_name, "modify_location"),
(items.c.comment, "modify_comment"),
.values(last_modified = time.time())

Doesn't seem any less flexible to me, plus you don't have to worry
about calling your SQLString function at all.

From: Robert Kern on
On 2010-06-25 19:49 , Lawrence D'Oliveiro wrote:
> In message<slrni297ec.1m5.grahn+nntp(a)>, Jorgen Grahn
> wrote:
>> I thought it was well-known that the solution is *not* to try to
>> sanitize the input -- it's to switch to an interface which doesn't
>> involve generating an intermediate executable. In the Python example,
>> that would be something like os.popen2(['zcat', '-f', '--', untrusted]).
> That's what I mean. Why do people consider input sanitization so hard?

It's not hard per se; it's just repetitive, prone to the occasional mistake,
and, frankly, really boring. When faced with things like that, we do what we do
everywhere else in programming: wrap up the repetitive bits into a simpler
library API and use that everywhere. Wrapping up the escaping code into
SQLString is a step in that direction. However, the standard SQL
parameterization in most of the DB protocols or SQLAlchemy's query construction
removes even more repetition and unnecessary typing. There's just no point in
not using it.

Robert Kern

"I have come to believe that the whole world is an enigma, a harmless enigma
that is made terrible by our own mad attempt to interpret it as though it had
an underlying truth."
-- Umberto Eco

From: Nobody on
On Sat, 26 Jun 2010 12:40:41 +1200, Lawrence D'Oliveiro wrote:

>>> I construct ad-hoc queries all the time. It really isn't that hard to
>>> do safely.
>> Wrong.
>> Even if you get the quoting absolutely correct (which is a very big "if"),
>> you have to remember to perform it every time, without exception.
>> More generally, as a program gets more complex, "this will work so long as
>> we do X every time without fail" approaches "this won't work".
> That's a content-free claim. Why? Because it applies equally to everything.
> Replace “quoting” with something like “arithmetic”, and you'll
> see what I mean:

If you omit the arithmetic, the program is likely to fail in very
obvious ways. Escaping is "almost" an identity function, which makes it
far more likely that omission or repetition will go unnoticed.

>> And you need to perform it exactly once. As the program gets more complex,
>> ensuring that it's done in the correct place, and only there, gets harder.
> Nonsense. It only needs to be done at the boundary to the appropriate
> component (MySQL, HTML, JavaScript, whatever).

That assumes that you have a well-defined "boundary", which isn't
necessarily the case.

In any case, you're still trying to make arguments about whether it's easy
or hard to get it right, which completely misses the point. Eliminating
the escaping entirely makes it impossible to get it wrong.

From: Nobody on
On Fri, 25 Jun 2010 20:43:51 -0400, Roy Smith wrote:

> To bring this back to something remotely Python related, the point of
> all this is that security is hard.

Oh, this isn't solely a security issue.

Ask anyone with a surname like O'Neil, O'Connor, O'Leary, etc; they've
probably broken a lot of web apps *without even trying*.

From: Roy Smith on
In article <2010062522560231540-angrybaldguy(a)gmailcom>,
Owen Jacobson <angrybaldguy(a)> wrote:

> It's not hard. It's just begging for a visit from the fuckup fairy.