[ic] turn off error loggin for specific MySQL query (Form Security)

John Young interchange-users@icdevgroup.org
Sun Dec 15 18:46:01 2002


Paul replied to Jeff:
> Thanks Jeff
> 
> I am glad you brought this up becuase I have been wanting to audit my
> site for some time. Does this seem satisfactory (in example)?
> 
>     [cgi name=n_name filter="textarea_put entities"]
> 
> I also set my inputs to the bare minumum maxlenght. The ones in the
> above are all < 20.
> 
> Thanks in advance
> 
> Paul

You might wish to tailor your filters a bit.  I could be wrong here, but
those filters might do more than you wish.  That is, do you really want
& encoded if someone enters "John & Mary" for a first name?  (That's
assuming n_name is not part of a URL or whatever.)  Also, textarea_put
looks like it encodes quite a few characters.

If you find that those are indeed encoding things more than you wish,
and some combination of the many supplied filters isn't doing it for you,
consider building your own filter.  You can add your own entry to the
~interch/code/Filter directory.  Perhaps:

CodeDef whateverfiltername Filter
CodeDef whateverfiltername Routine <<EOR
sub {
        my $val = shift;
        $val =~ s/([\\'"?%])/\\$1/g;
        return $val;
}
EOR

If it's mainly just SQL queries for which you are filtering, the quotes
are most important, but adding % to that could be helpful if the cgi
variable goes into a query which uses LIKE.
There is a built-in filter definition (see Interpolate.pm or ictags.txt) called 'sql',
which just handles single-quotes.

If you are building queries in Perl, either use placeholders ( blah = ? )
or dbh->quote() to help protect your queries.

An alternate method of designating filtering is with:
    Filter cgivar "filter1 filter2 ..."
in catalog.cfg.  For instance:
    Filter n_name "strip 20 whateverfiltername"

IMO, the nice thing about that approach is that you're covered if you
forget to use [filter] in a page (you don't need both).

Thanks to Mike and Kevin for helping me with the above on IRC some time ago.

Maxlength from a form cannot be trusted.  It's convenient, and I believe
in using it, but it doesn't count towards security much (since the end user
can modify the HTML).  There is maxlength functionality in Filter/[filter] that is
good for that purpose, however.  From ictags.txt:
    "If you pass just a numeric argument, filter will return only first N characters."


John Young