[ic] Re: Form Input and Database Insert Safety, Interchange

Andrew N augustine.andrew at gmail.com
Mon May 22 20:36:26 EDT 2006


>> Interchange has a [filter] tag that, given the type of filter as an
>> argument, can do what you want. In your case, you're interested in the
>> 'sql' filter:
>>
>>       [filter op=sql interpolate=1][cgi my_raw_form_data][/filter]
>>
>> There are numerous other useful filters for all manner of data
>> transformation in addition to this one.
>>
>> A word of caution on the sql filter in 4.9. Your version escapes by the
>> SQL-standard of doubling up single quotes. Unfortunately, databases such
>> as MySQL and Postgres also allow backslash escaping, which means it's
>> still possible to produce SQL injections using a combination of single
>> quotes and backslashes. The current IC uses the native DBI quote method
>> so that escapes for a particular database are handled properly according
>> to its particular DBD.
>>
>Later versions of the [query] tag have a [sql-quote] "subtag" that
>will do a proper $db->quote() on the value:
>
>   [query
>       list=1
>       sql=|
>           SELECT  code
>           FROM    products
>           WHERE   sku = [sql-quote][cgi sku][/sql-quote]
>       |
>   ]
>   ...
>   [/quote]
>
>That will work for INSERT and DELETE (etc.) too, of course, and will
>avoid the need for [filter].  It also neatly side-steps any potential
>security issues.
>
>I suggest an upgrade from 4.9 (development) to 5.4 (stable), which will
>provide you with this facility, and lots of other goodies.  On the
>other hand, any competent Interchange consultant will be able to
>back-port this facility into 4.9.
>
>


Thank you very much to both of you for the information.  This leads me
to some other questions.

I've been away from Interchange for 2.5 years, and I was never an
Interchange whiz to begin with.  I have found the documentation
somewhat confusing as well.  So, I could use any additional help to
avoid injection attacks.  What is my best bet to do quickly before I
go through the upgrade process?  Upgrading could be very tough because
it is a customized admin tool and probably customized old IC tags as
well.

Also, Are there any known security issues with Interchange 4.9.5.
Some of our old tags are actually residuals from 4.8.6!

Finally, I may then be looking for consultants if I make this upgrade.
 I'm guessing from your signatures that you may both be in the
business.  Feel free to recommend consultants by sending me an e-mail
directly.

Thanks again.

Andy



More information about the interchange-users mailing list