1 <stránka |
1 <stránka |
2 xmlns="https://trac.frantovo.cz/xml-web-generator/wiki/xmlns/strana" |
2 xmlns="https://trac.frantovo.cz/xml-web-generator/wiki/xmlns/strana" |
3 xmlns:m="https://trac.frantovo.cz/xml-web-generator/wiki/xmlns/makro"> |
3 xmlns:m="https://trac.frantovo.cz/xml-web-generator/wiki/xmlns/makro"> |
4 |
4 |
5 <nadpis>Parametrized queries with Guile</nadpis> |
5 <nadpis>Parametrized queries with Scheme</nadpis> |
6 <perex>passing input parameters and avoiding code-injections</perex> |
6 <perex>passing input parameters and avoiding code-injections</perex> |
7 <m:pořadí-příkladu>01600</m:pořadí-příkladu> |
7 <m:pořadí-příkladu>01600</m:pořadí-příkladu> |
8 |
8 |
9 <text xmlns="http://www.w3.org/1999/xhtml"> |
9 <text xmlns="http://www.w3.org/1999/xhtml"> |
10 |
10 |
35 │ UUID │ a2b5f230-a795-4f6f-a39b-9b57686c86d5 │ /home │ btrfs │ relatime │ 0 │ 2 │ |
35 │ UUID │ a2b5f230-a795-4f6f-a39b-9b57686c86d5 │ /home │ btrfs │ relatime │ 0 │ 2 │ |
36 ╰─────────────────┴──────────────────────────────────────┴──────────────────────┴───────────────┴──────────────────┴────────────────┴────────────────╯ |
36 ╰─────────────────┴──────────────────────────────────────┴──────────────────────┴───────────────┴──────────────────┴────────────────┴────────────────╯ |
37 Record count: 1]]></m:pre> |
37 Record count: 1]]></m:pre> |
38 |
38 |
39 <p> |
39 <p> |
40 But it is fundamentally wrong. The input parameter is blindly pasted in middle of the Guile code. |
40 But it is fundamentally wrong. The input parameter is blindly pasted in middle of the Scheme code. |
41 So if we call e.g. <code>fstab-where-type 'ext4"'</code>, it crashes terribly. |
41 So if we call e.g. <code>fstab-where-type 'ext4"'</code>, it crashes terribly. |
42 Do you remember SQL injections in your first PHP scripts when you were 14? |
42 Do you remember SQL injections in your first PHP scripts when you were 14? |
43 Do not do it again! |
43 Do not do it again! |
44 </p> |
44 </p> |
45 |
45 |
46 <p> |
46 <p> |
47 The <code>relpipe-tr-guile</code> tool has a safe way for passing parameters from the outside. And such parameters are even strongly typed. |
47 The <code>relpipe-tr-scheme</code> tool has a safe way for passing parameters from the outside. And such parameters are even strongly typed. |
48 So this is, how our program should be written: |
48 So this is, how our program should be written: |
49 </p> |
49 </p> |
50 |
50 |
51 <m:pre jazyk="bash"><![CDATA[fstab-where-type() { |
51 <m:pre jazyk="bash"><![CDATA[fstab-where-type() { |
52 relpipe-in-fstab \ |
52 relpipe-in-fstab \ |
53 | relpipe-tr-guile \ |
53 | relpipe-tr-scheme \ |
54 --relation fstab \ |
54 --relation fstab \ |
55 --define 'myRequestedType' string "$1" \ |
55 --define 'myRequestedType' string "$1" \ |
56 --where '(string= $type myRequestedType)' \ |
56 --where '(string= $type myRequestedType)' \ |
57 | relpipe-out-tabular; |
57 | relpipe-out-tabular; |
58 }]]></m:pre> |
58 }]]></m:pre> |