author | František Kučera <franta-hg@frantovo.cz> |
Thu, 01 Aug 2019 11:59:39 +0200 | |
branch | v_0 |
changeset 266 | 862a1d97e74b |
parent 247 | 087b8621fb3e |
child 314 | a8bdd870a456 |
permissions | -rw-r--r-- |
247
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
1 |
<stránka |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
2 |
xmlns="https://trac.frantovo.cz/xml-web-generator/wiki/xmlns/strana" |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
3 |
xmlns:m="https://trac.frantovo.cz/xml-web-generator/wiki/xmlns/makro"> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
4 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
5 |
<nadpis>Parametrized queries with Guile</nadpis> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
6 |
<perex>passing input parameters and avoiding code-injections</perex> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
7 |
<m:pořadí-příkladu>01600</m:pořadí-příkladu> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
8 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
9 |
<text xmlns="http://www.w3.org/1999/xhtml"> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
10 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
11 |
<p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
12 |
<m:name/> are not only for ad-hoc commands but – they could (and probably often should) be used for creating reusable programs. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
13 |
Such programs are once written, stored in a shell script or shell function or alias and then called many times. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
14 |
</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
15 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
16 |
<p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
17 |
For example, we need a script which prints records from our <code>fstab</code> that have given filesystem type. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
18 |
We could do it this way: |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
19 |
</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
20 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
21 |
<m:pre jazyk="bash"><![CDATA[fstab-where-type() { |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
22 |
relpipe-in-fstab \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
23 |
| relpipe-tr-guile \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
24 |
--relation fstab \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
25 |
--where '(string= $type "'$1'")' \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
26 |
| relpipe-out-tabular; |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
27 |
}]]></m:pre> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
28 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
29 |
<p>It seems working – e.g. if we call <code>fstab-where-type btrfs</code>, we get:</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
30 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
31 |
<m:pre jazyk="text"><![CDATA[fstab: |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
32 |
╭─────────────────┬──────────────────────────────────────┬──────────────────────┬───────────────┬──────────────────┬────────────────┬────────────────╮ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
33 |
│ scheme (string) │ device (string) │ mount_point (string) │ type (string) │ options (string) │ dump (integer) │ pass (integer) │ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
34 |
├─────────────────┼──────────────────────────────────────┼──────────────────────┼───────────────┼──────────────────┼────────────────┼────────────────┤ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
35 |
│ UUID │ a2b5f230-a795-4f6f-a39b-9b57686c86d5 │ /home │ btrfs │ relatime │ 0 │ 2 │ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
36 |
╰─────────────────┴──────────────────────────────────────┴──────────────────────┴───────────────┴──────────────────┴────────────────┴────────────────╯ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
37 |
Record count: 1]]></m:pre> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
38 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
39 |
<p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
40 |
But it is fundamentally wrong. The input parameter is blindly pasted in middle of the Guile code. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
41 |
So if we call e.g. <code>fstab-where-type 'ext4"'</code>, it crashes terribly. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
42 |
Do you remember SQL injections in your first PHP scripts when you were 14? |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
43 |
Do you remember <a href="https://xkcd.com/327/">XKCD: Exploits of a Mom</a>? |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
44 |
Don't do it again! |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
45 |
</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
46 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
47 |
<p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
48 |
The <code>relpipe-tr-guile</code> tool has a safe way for passing parameters from the outside. And such parameters are even strongly typed. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
49 |
So this is, how our program should be written: |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
50 |
</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
51 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
52 |
<m:pre jazyk="bash"><![CDATA[fstab-where-type() { |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
53 |
relpipe-in-fstab \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
54 |
| relpipe-tr-guile \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
55 |
--relation fstab \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
56 |
--define 'myRequestedType' string "$1" \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
57 |
--where '(string= $type myRequestedType)' \ |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
58 |
| relpipe-out-tabular; |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
59 |
}]]></m:pre> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
60 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
61 |
<p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
62 |
So when we call <code>fstab-where-type 'ext4"'</code> again, there is no crash, no code-injection. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
63 |
Just empty relation is returned because there is no record <code>WHERE type = 'ext4"'</code> (said in SQL words). |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
64 |
</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
65 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
66 |
<p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
67 |
Now it is like we do a parametrized query in SQL: |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
68 |
</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
69 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
70 |
<m:pre jazyk="sql"><![CDATA[SELECT * FROM fstab WHERE type = :myRequestedType;]]></m:pre> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
71 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
72 |
<p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
73 |
And bind the <code>myRequestedType</code> parameter. |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
74 |
</p> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
75 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
76 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
77 |
</text> |
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
78 |
|
087b8621fb3e
examples: Parametrized queries with Guile
František Kučera <franta-hg@frantovo.cz>
parents:
diff
changeset
|
79 |
</stránka> |