Re: [boost] Review of Boost.MySql
I was just imagining users concatenating queries. May be a misconception, yours is a legitimate use case.
I've thought more about this, and I'm guessing you were thinking about this XKCD https://xkcd.com/327/ SQL Injection.
Yes, this was definitely what I was thinking of ;)
The proper and ideal remedy is not the XKCD one though, it is using prepared statements and binding values.
The still proper but less ideal next remedy is a "safe" way to concatenate user inputs into textual SQL. I.e. the equivalent of SQLite: https://www.sqlite.org/printf.html with %q and %Q PostgreSQL: https://www.postgresql.org/docs/current/libpq-exec.html#LIBPQ-PQESCAPELITERA... Since you want to avoid the MySQL client, which I suppose has this too, you have to provide your own.
Since not everything can be done with prepared statements (I've been shown some legitimate use cases that are not covered), I've raised https://github.com/anarthal/mysql/issues/69 to address this, and I will likely implement something like this.
Third and finally, this XKCD hack indeed does only work is one can execute several semi-colon separated statements. So on second thought, it is *definitely* be a good thing to have separate APIs, to execute single statement, as opposed from executing "scripts" of statements, plural. With a single-statement API, *even* the XKCD hack won't work, since it would yield an invalid single statement. This is what you had in mind IMHO :).
The trouble with this is that multi-statement is not a separate protocol primitive, but rather something you turn on or off for the entire session. So your connections either support it or don't. If you include such a semicolon separated set of queries in your query request, and this capability is turned on, the server will happily execute it. So maybe this should be implemented as an extra value in connection_params (https://anarthal.github.io/mysql/mysql/connparams.html) with adequate security warnings.
participants (1)
-
Ruben Perez