-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Parametrized queries #58
Comments
+1. The current behavior looks pretty dangerous to me, and other libraries don't do this. Not only one incorrect Putting it in other words, if this library sends parameters by |
I've run into multiple issues related to this recently, some of which I can't work around because (I believe) there are bugs in escaping of values and query parsing. See #106 and #107 I'd expect it'd make code simpler and more consistent with other libraries while having a clean path to feed parameters in. |
Which other libraries? #107 wouldn't be fixed by this, as even for How I have no intention to work on this. I'm curious to see a patch, but no guarantee I'll merge that though. I don't think code will be made simpler, just different. |
Any library that uses
Sounds a lot like |
I think you misunderstood what |
That sounds like an implementation detail that I don't see documented. Implementing this function as a traversal over a proper prepared statement would still meet what's specified here. That's what |
It won't. Multiple queries are not transactional. That change would be also breaking and of the "type-checker doesn't help you to migrate". |
You should update the documentation for It doesn't state it's atomic (though presumably it would be in an explicit transaction) and it doesn't state it's a single statement. It doesn't state that your query parser won't work without the question marks being inside a The only reasonable implementation of this as documented would be a prepared statement with the parameters safely delivered, which is why it's relevant to this bug. Alternatively, allowing users to programmatically construct a query with a multi- But the "you must know the undocumented ways we manipulate the strings you send us in order to make new strings of user input to send to the database" model you currently have is very surprising and the bugs that fall out of it are quite discouraging. |
It looks like
postgresql-simple
does not actually support parametrized queries.When using
?
syntax to inject values into queries, the values are converted to (query) strings (via theToField
class), and the query string is parsed on the client, and?
's replaced with the encoded values.From a security perspective, this is kind of bad - all it takes to create a potential opening for an SQLi attack is one incorrect
ToField
instance, or a particularly quirky query that the query parser isn't prepared to handle, or a bug in the escaping code. And this is a completely unnecessary risk, because postgres natively supports parametrized queries (see for example PQexecParams), keeping the query unchanged, and sending parameters separately; the parametrization happens on the server, and does not involve rewriting SQL source code (the value get injected into the query AST on the server). There is no risk of SQL injection here, because by the time postgres looks at the dynamic values, the SQL query source code has already been discarded.The text was updated successfully, but these errors were encountered: