Grokbase Groups Go golang-nuts February 2013
FAQ
I've a generator of SQL models with support for primary and foreign keys,
indexes and unique constraints, (included composites); default values; and
enumerations.

Now, for each model, it's geneared the Go code with a function to get the
SQL statement related to INSERT:

https://github.com/kless/modsql/blob/master/testdata/model.go //
Auto-generated
https://github.com/kless/modsql/blob/master/test/modeler.go // Source

Would be useful to add another function auto-generated for SQL? Which?
Any other feature to add to the modeler?

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Ernest Micklei at Feb 4, 2013 at 11:56 am
    you should at least take care of http://en.wikipedia.org/wiki/SQL_injection.

    Op maandag 4 februari 2013 12:32:10 UTC+1 schreef Archos het volgende:
    I've a generator of SQL models with support for primary and foreign keys,
    indexes and unique constraints, (included composites); default values; and
    enumerations.

    Now, for each model, it's geneared the Go code with a function to get the
    SQL statement related to INSERT:

    https://github.com/kless/modsql/blob/master/testdata/model.go //
    Auto-generated
    https://github.com/kless/modsql/blob/master/test/modeler.go // Source

    Would be useful to add another function auto-generated for SQL? Which?
    Any other feature to add to the modeler?
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Archos at Feb 4, 2013 at 12:24 pm
    Thanks! I'd forgotten about it.
    The solution is easy since that you only have to check variables of type
    string which could to have an extra SQL statement.

    El lunes, 4 de febrero de 2013 11:56:38 UTC, Ernest Micklei escribió:
    you should at least take care of
    http://en.wikipedia.org/wiki/SQL_injection.

    Op maandag 4 februari 2013 12:32:10 UTC+1 schreef Archos het volgende:
    I've a generator of SQL models with support for primary and foreign keys,
    indexes and unique constraints, (included composites); default values; and
    enumerations.

    Now, for each model, it's geneared the Go code with a function to get the
    SQL statement related to INSERT:

    https://github.com/kless/modsql/blob/master/testdata/model.go //
    Auto-generated
    https://github.com/kless/modsql/blob/master/test/modeler.go // Source

    Would be useful to add another function auto-generated for SQL? Which?
    Any other feature to add to the modeler?
    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • John Nagle at Feb 4, 2013 at 9:23 pm

    On 2/4/2013 3:56 AM, Ernest Micklei wrote:
    you should at least take care of http://en.wikipedia.org/wiki/SQL_injection.
    Do NOT put data fields into SQL statements yourself, as you did here:

    return fmt.Sprintf("INSERT INTO times (typeId, t_duration, t_datetime)
    VALUES(%d, '%s', '%s');",
    t.TypeId, modsql.ReplTime.Replace(t.T_duration.String()), t0.String()), nil

    Use the SQL package:

    func (tx *Tx) Exec(query string, args ...interface{}) (Result, error)

    which knows how to escape data fields. (Correctly, one hopes.)
    SQL escaping rules are complex and depend on the state of the
    connection and the database being used. It's the job of the
    SQL package and its per-database packages to take care of that.

    PHP does this wrong, which is the entry point for most of the successful
    SQL injection attacks in the wild. Python and Go get it right.
    (Java has many SQL packages, some good, some not so good.)

    Read
    http://dev.mysql.com/doc/refman/5.0/en/string-literals.html
    for the escaping rules.

    John Nagle



    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Steve McCoy at Feb 4, 2013 at 10:07 pm
    Or don't use escaping at all and use parameterized queries and/or prepared
    statements, which are foolproof. Even PHP provides these.

    On Monday, February 4, 2013 4:23:36 PM UTC-5, John Nagle wrote:
    On 2/4/2013 3:56 AM, Ernest Micklei wrote:
    you should at least take care of
    http://en.wikipedia.org/wiki/SQL_injection.

    Do NOT put data fields into SQL statements yourself, as you did here:

    return fmt.Sprintf("INSERT INTO times (typeId, t_duration,
    t_datetime)
    VALUES(%d, '%s', '%s');",
    t.TypeId, modsql.ReplTime.Replace(t.T_duration.String()), t0.String()),
    nil

    Use the SQL package:

    func (tx *Tx) Exec(query string, args ...interface{}) (Result, error)

    which knows how to escape data fields. (Correctly, one hopes.)
    SQL escaping rules are complex and depend on the state of the
    connection and the database being used. It's the job of the
    SQL package and its per-database packages to take care of that.

    PHP does this wrong, which is the entry point for most of the successful
    SQL injection attacks in the wild. Python and Go get it right.
    (Java has many SQL packages, some good, some not so good.)

    Read
    http://dev.mysql.com/doc/refman/5.0/en/string-literals.html
    for the escaping rules.

    John Nagle


    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Archos at Feb 6, 2013 at 10:08 am
    Instead of escape fields of type string, my idea was to check if there is a
    character ";" and then "DROP" or "SELECT" to know whether it has an extra
    SQL statement. For greater security, I went to log every string with ";".

    But if it is not enough, and to avoid some possible security issue it would
    better to follow your advise. Thanks!

    El lunes, 4 de febrero de 2013 21:23:36 UTC, John Nagle escribió:
    On 2/4/2013 3:56 AM, Ernest Micklei wrote:
    you should at least take care of
    http://en.wikipedia.org/wiki/SQL_injection.

    Do NOT put data fields into SQL statements yourself, as you did here:

    return fmt.Sprintf("INSERT INTO times (typeId, t_duration,
    t_datetime)
    VALUES(%d, '%s', '%s');",
    t.TypeId, modsql.ReplTime.Replace(t.T_duration.String()), t0.String()),
    nil

    Use the SQL package:

    func (tx *Tx) Exec(query string, args ...interface{}) (Result, error)

    which knows how to escape data fields. (Correctly, one hopes.)
    SQL escaping rules are complex and depend on the state of the
    connection and the database being used. It's the job of the
    SQL package and its per-database packages to take care of that.

    PHP does this wrong, which is the entry point for most of the successful
    SQL injection attacks in the wild. Python and Go get it right.
    (Java has many SQL packages, some good, some not so good.)

    Read
    http://dev.mysql.com/doc/refman/5.0/en/string-literals.html
    for the escaping rules.

    John Nagle


    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • André Moraes at Feb 6, 2013 at 11:39 am

    On Wed, Feb 6, 2013 at 8:08 AM, Archos wrote:
    Instead of escape fields of type string, my idea was to check if there is a
    character ";" and then "DROP" or "SELECT" to know whether it has an extra
    SQL statement. For greater security, I went to log every string with ";".
    select username from users where passwd = '%v'.

    then, %v could be

    select username from userss where passwd = 'anything' or 1=1 or 'junk'=='

    Always trust on the driver writer to escape things and don't trust the
    user to write sql statements. Following this rules, you can't be sql
    injected.


    --
    André Moraes
    http://amoraes.info

    --
    You received this message because you are subscribed to the Google Groups "golang-nuts" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupgolang-nuts @
categoriesgo
postedFeb 4, '13 at 11:32a
activeFeb 6, '13 at 11:39a
posts7
users5
websitegolang.org

5 users in discussion

Archos: 3 posts André Moraes: 1 post John Nagle: 1 post Steve McCoy: 1 post Ernest Micklei: 1 post

Content

People

Support

Translate

site design / logo © 2022 Grokbase