Mar 02, 2015; 14:59
Jolle Carlestam
array -> encodesql - Next issue of the highly irregular Non Weekly Lasso Tidbit
When constructing sql queries I, from time to time, find myself in a situation where I want to use stuff from an array in the query. Here=92s an example when that is handy:
local(
rows = my_DS -> sql("SELECT name FROM mytable WHERE id IN ('" + #myArrayWithIds -> join(', ') + "';", -1) -> rows
)
Ah, but there=92s a problem with the above. What if there=92s an evil sql injection hidden in one of the values in #myArrayWithIds? Not good.
Unfortunately this won=92t help:
id IN ('" + #myArrayWithIds -> join(', =92) -> encodesql + "'
It would encode the legal quotes in there as well as any possible evil sql string.
Well, we can of course clean up the array first. Run a query expression on it and make sure that all values in the array are safe to use. But, it would clutter our code and not be as elegant as the solution I=92m proposing.
Lets instead expand the array type to accept encodesql. Doing that we can adjust the original example like this:
local(
rows = my_DS -> sql("SELECT name FROM mytable WHERE id IN ('" + #myArrayWithIds -> encodesql& -> join(', ') + "';", -1) -> rows
)
How do we do that. Simple, add this to the place where you keep all your custom types and methods, be it LassoStartUp, a LassoApp or wherever.
define array -> encodesql() => {
loop(.size) => {
if(.get(loop_count) -> isa(::pair)) => {
.get(loop_count) = pair(
.get(loop_count) -> first -> asstring -> encodesql,
.get(loop_count) -> second -> asstring -> encodesql)
else
.get(loop_count) = .get(loop_count) -> asstring -> encodesql
}
}
}
Lets try it:
local(myarray = array('1', '2', "a';DROP TABLE users; SELECT * FROM userinfo WHERE 't' = 't"))
#myarray -> encodesql& -> join(=92<br />')
-> 1
2
a\';DROP TABLE users; SELECT * FROM userinfo WHERE \'t\' = \=92t
Yep, works.
NB, this is of course a Lasso 9 tip.
HDB
Jolle
#############################################################
This message is sent to you because you are subscribed to
the mailing list Lasso Lasso@lists.lassosoft.com
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <Lasso-unsubscribe@lists.lassosoft.com>
Send administrative queries to <Lasso-request@lists.lassosoft.com>