Why Is Escaping Data Considered So Magical?
in [Python]
|
Prev: GDAL-1.7.1 : vcvarsall.bat missing
Next: improving python performance by extension module (64bit)
From: Ian Kelly on 26 Jun 2010 02:33 On Thu, Jun 24, 2010 at 9:38 PM, Lawrence D'Oliveiro <ldo(a)geek-central.gen.new_zealand> wrote: > In message <2010062422432660794-angrybaldguy(a)gmailcom>, Owen Jacobson wrote: > >> Why would I write this when SQLAlchemy, even without using its ORM >> features, can do it for me? > > SQLAlchemy doesnt seem very flexible. Looking at the code examples > <http://www.sqlalchemy.org/docs/examples.html>, theyre very procedural: > build object, then do a string of separate method calls to add data to it.. I > prefer the functional approach, as in my table-update example. Your example from the first post of the thread rewritten using sqlalchemy: conn.execute( items.update() .where(items.c.inventory_nr == modify_id) .values( dict( (field[0], Params.getvalue("%s[%s]" % (field[1], urllib.quote(modify_id)))) for field in [ (items.c.class_name, "modify_class"), (items.c.make, "modify_make"), (items.c.model, "modify_model"), (items.c.details, "modify_details"), (items.c.serial_nr, "modify_serial"), (items.c.inventory_nr, "modify_invent"), (items.c.when_purchased, "modify_when_purchased"), ... you get the idea ... (items.c.location_name, "modify_location"), (items.c.comment, "modify_comment"), ] ) ) .values(last_modified = time.time()) ) Doesn't seem any less flexible to me, plus you don't have to worry about calling your SQLString function at all. Cheers, Ian
From: Robert Kern on 26 Jun 2010 03:39 On 2010-06-25 19:49 , Lawrence D'Oliveiro wrote: > In message<slrni297ec.1m5.grahn+nntp(a)frailea.sa.invalid>, Jorgen Grahn > wrote: > >> I thought it was well-known that the solution is *not* to try to >> sanitize the input -- it's to switch to an interface which doesn't >> involve generating an intermediate executable. In the Python example, >> that would be something like os.popen2(['zcat', '-f', '--', untrusted]). > > That's what I mean. Why do people consider input sanitization so hard? It's not hard per se; it's just repetitive, prone to the occasional mistake, and, frankly, really boring. When faced with things like that, we do what we do everywhere else in programming: wrap up the repetitive bits into a simpler library API and use that everywhere. Wrapping up the escaping code into SQLString is a step in that direction. However, the standard SQL parameterization in most of the DB protocols or SQLAlchemy's query construction removes even more repetition and unnecessary typing. There's just no point in not using it. -- Robert Kern "I have come to believe that the whole world is an enigma, a harmless enigma that is made terrible by our own mad attempt to interpret it as though it had an underlying truth." -- Umberto Eco
From: Nobody on 26 Jun 2010 06:49 On Sat, 26 Jun 2010 12:40:41 +1200, Lawrence D'Oliveiro wrote: >>> I construct ad-hoc queries all the time. It really isn't that hard to >>> do safely. >> >> Wrong. >> >> Even if you get the quoting absolutely correct (which is a very big "if"), >> you have to remember to perform it every time, without exception. >> >> More generally, as a program gets more complex, "this will work so long as >> we do X every time without fail" approaches "this won't work". > > That's a content-free claim. Why? Because it applies equally to everything. > Replace “quoting” with something like “arithmetic”, and you'll > see what I mean: If you omit the arithmetic, the program is likely to fail in very obvious ways. Escaping is "almost" an identity function, which makes it far more likely that omission or repetition will go unnoticed. >> And you need to perform it exactly once. As the program gets more complex, >> ensuring that it's done in the correct place, and only there, gets harder. > > Nonsense. It only needs to be done at the boundary to the appropriate > component (MySQL, HTML, JavaScript, whatever). That assumes that you have a well-defined "boundary", which isn't necessarily the case. In any case, you're still trying to make arguments about whether it's easy or hard to get it right, which completely misses the point. Eliminating the escaping entirely makes it impossible to get it wrong.
From: Nobody on 26 Jun 2010 07:04 On Fri, 25 Jun 2010 20:43:51 -0400, Roy Smith wrote: > To bring this back to something remotely Python related, the point of > all this is that security is hard. Oh, this isn't solely a security issue. Ask anyone with a surname like O'Neil, O'Connor, O'Leary, etc; they've probably broken a lot of web apps *without even trying*.
From: Roy Smith on 26 Jun 2010 07:59
In article <2010062522560231540-angrybaldguy(a)gmailcom>, Owen Jacobson <angrybaldguy(a)gmail.com> wrote: > It's not hard. It's just begging for a visit from the fuckup fairy. QOTD? |