[DB-SIG] In praise of pyformat
Mike Meyer
mwm-keyword-dbsig.588a7d at mired.org
Tue Aug 14 20:10:46 CEST 2007
On Tue, 14 Aug 2007 12:27:19 -0500 Carl Karsten <carl at personnelware.com> wrote:
> >> How often does an identifier come from an untrusted source?
> >
> > Um, how about in every web-based app that has a real search facility?
> > One that lets the user specify which column(s) they want to check, or
> > that can search multiple tables? I seem to be involved in working on
> > one of those every few years: an SGML document search engine, a user
> > database search engine, a webmail client, a workflow management
> > system, and a software change tracking system are what I can recall
> > now.
>
> hmm, I think I see it. Even if you provide a list of valid identifiers to the
> browser, there is nothing to prevent that being replaced.
Exactly. In this case, it's fairly straightforward to check that the
identifier is valid, but that's not always been the case for me.
> Got the URL of one of these so I an examine it?
None of the ones I've worked on that are still up are accessible to
the public. However, buzilla is a typical example of this type of
interface (built on top of mysql): https://bugzilla.mozilla.org/query.cgi
Even better, the source is available. I haven't checked it to see if
the HTTP query includes column names or not, though.
<mike
--
Mike Meyer <mwm at mired.org> http://www.mired.org/consulting.html
Independent Network/Unix/Perforce consultant, email for more information.
More information about the DB-SIG
mailing list