Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #3671

Re: Pickling over a socket

References (5 earlier) <20110420084431.0480aa41@chaostal.de> <BANLkTiksqp-RMyJj8UcbquiYxHZJqeSj-w@mail.gmail.com> <20110420093419.4b83fe4b@chaostal.de> <BANLkTim59M9ti6Dq+4=UCZxg_ZiXGX=LUA@mail.gmail.com> <20110420111723.2daf2437@chaostal.de>
Date 2011-04-20 19:26 +1000
Subject Re: Pickling over a socket
From Chris Angelico <rosuav@gmail.com>
Newsgroups comp.lang.python
Message-ID <mailman.631.1303291608.9059.python-list@python.org> (permalink)

Show all headers | View raw

On Wed, Apr 20, 2011 at 7:17 PM, Bastian Ballmann <balle@chaostal.de> wrote:
> Well you forgot to escape ; and \ but this seems to slide into OT ;)

The semicolon doesn't need to be escaped in a quoted string, and the
backslash does only if it's the escape character. The
string-safetifier function that I used with DB2 was called "dblapos"
because it simply doubled every apostrophe - nothing else needed. On
the other hand, mysql_real_escape_string will escape quite a few
characters, for convenience in reading dumps.

> Am Wed, 20 Apr 2011 18:43:01 +1000
> schrieb Chris Angelico <rosuav@gmail.com>:
>
>> So, like Jean-Paul said, you simply do not trust anything that comes
>> from the network. Ever.
>
> If you generalize it in this way you should never trust any user input
> regardless if it comes from the net or from local or the environment
> etc.

Yes, but the other half of the issue is that you have to treat
anything that comes over the network as "user input", even if you
think it's from your own program that you control.

>> Urrrm. You can "own" a "complete computer" with SQL injection? Then
>> someone has some seriously weak protection.
>
> Yes and the database is poorly protected, but this happens way too
> often.

That's just *sad*.

>> SQL injection is easier to
>> protect against than buffer overruns, and with a lot of function
>> libraries
>
> I totally disagree. Buffer overflow is just a matter of size checking,
> but sql injection is a matter of syntax. It's more than just throwing
> the input into a magic auto-escape function.

Buffer overruns can happen in all sorts of places; SQL injection can
only happen where you talk to the database. And it IS just a matter of
using a magic auto-escape function, if your library is set up right -
unless, of course, you allow your users to submit SQL themselves (eg a
WHERE clause). That's almost impossible to sanitize, which is why I
would never EVER allow such a thing unless it's actually a trusted
environment (eg PHPMyAdmin - anyone who has access to PMA has access
to the database anyway).

> We both agree that one should never trust user input blindly and we also
> seem to conform to one can use user input in a appropriate way that's
> not the case, but if i read your mail i think you want to tell me one
> should never ever use the internet or only write programs without user
> input at all.

Not at all; just never *trust* user input. Where thou typest foo,
someone someday will type...

ChrisA

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

Pickling over a socket Roger Alexander <rtalexander@mac.com> - 2011-04-19 11:53 -0700
  Re: Pickling over a socket Chris Rebert <clp2@rebertia.com> - 2011-04-19 12:21 -0700
  Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 05:29 +1000
  Re: Pickling over a socket Dan Stromberg <drsalists@gmail.com> - 2011-04-19 12:30 -0700
  Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 05:37 +1000
    Re: Pickling over a socket Roger Alexander <rtalexander@mac.com> - 2011-04-19 15:27 -0700
      Re: Pickling over a socket Jean-Paul Calderone <calderone.jeanpaul@gmail.com> - 2011-04-19 19:28 -0700
        Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 08:44 +0200
        Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 16:59 +1000
        Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 09:34 +0200
          Re: Pickling over a socket Thomas Rachel <nutznetz-0c1b6768-bfa9-48d5-a470-7603bd3aa915@spamschutz.glglgl.de> - 2011-04-20 10:25 +0200
            [OT] Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 10:59 +0200
        Re: Pickling over a socket Chris Angelico <rosuav@gmail.com> - 2011-04-20 19:26 +1000
        Re: Pickling over a socket Bastian Ballmann <balle@chaostal.de> - 2011-04-20 11:41 +0200

csiph-web