Re: Programmers toolkit - C api sprintf-like mysql_query()

From: Jerry Stuckle <jstucklex_at_attglobal.net>
Date: Sun, 2 Jul 2017 21:17:24 -0400
Message-ID: <ojc5n6$o2f$1_at_jstuckle.eternal-september.org>

On 7/2/2017 6:55 PM, Lew Pitcher wrote:
> Jerry Stuckle wrote:
>
>> On 7/2/2017 3:46 PM, Lew Pitcher wrote:
>>> Jerry Stuckle wrote:
>>>
>>> [snip]
>>>
>>>> Ensure you call mysql_real_escape_string() for all non-numeric values
>>>> that come from external sources. Failure to do so can lead to a SQL
>>>> injection attack.
>>>
>>> Thanks for the reminder, Jerry.
>>>
>>> I don't see, however, how that suggestion has anything directly to do
>>> with the code I posted, or the implementation pattern it replaces.
>>>
>>> To me, it is about as helpfull as also reminding everyone who read my
>>> post that they must call mysql_init() to obtain a valid dbm handle; it's
>>> true, and important, but irrelevant to the current discussion.
>>>
>>> But, thanks anyway for the reminder.
>>>
> [snip]
>> when add a string value to your INSERT (or any other)
>> statement, you need to ensure the string is escaped by
>> mysql_real_escape_string(). Your code doesn't do that,
>
> And, neither does a naked call to mysql_query().
>

No, and that's why a naked call to mysql_query() is subject to SQL injection attacks.

> And, as I said earlier, my function is intended to substitute for the
> malloc()/sprintf()/mysql_query()/free() pattern.
>
> As I said, I feel that your comment is about as relevant as an observation
> that you must first build a dbm handle using mysql_init() before using it in
> my function; it is both true and important, but irrelevant to the discussion
> of using one query function to substitute for another.
>

You're just leaving your code open to SQL injection attacks.

>> which leaves it open to a SQL injection attack.
>
>
>
>> Of course, if you BIND values instead, you don't need to escape the
>> strings.
>
> And, as I said, a prepared statement would be overkill for the situation
> that I see this function being used in.
>

Maybe, maybe not. But to prevent SQL injections, you must either use BIND values or mysql_real_escape_string() on all strings from external sources in a SQL statement.

> If you want to write a query function that either extends mine (by calling
> mysql_real_escape_string() where necessary, before calling mysql_query() )
> or replaces mine (by encapsulating logic to prepare and execute a "prepared
> statement"), please be my guest.
>
> Anyway, thanks for your feedback.
>

I use prepared statements in most of my C code to prevent such problems. And I also don't suggest people use insecure code.

It's your code - do with it what you want. But please - don't recommend others use such insecure code.

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
jstucklex_at_attglobal.net
==================

Received on Mon Jul 03 2017 - 03:17:24 CEST

This message: [ Message body ]
Next message: The Natural Philosopher: "Re: Programmers toolkit - C api sprintf-like mysql_query()"
In reply to Lew Pitcher: "Re: Programmers toolkit - C api sprintf-like mysql_query()"
Next in thread: The Natural Philosopher: "Re: Programmers toolkit - C api sprintf-like mysql_query()"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message