[geeklog-devel] Filtering in GL2

Tony Bibbs tony at tonybibbs.com
Wed Dec 15 17:17:22 EST 2004


My response is below.

Dirk Haun wrote:

>What about SQL injection attempts then?
>
>There's several sorts of filtering that have to be done, and ideally (I
>think), they should be handled by different "entities" (for lack of a
>better word), as opposed to the all-in-one approach that 1.3's
>COM_applyFilter  implements.
>
>I.e. an SQL request should be parsed for injections / malformed SQL by
>the entity that handles SQL (would that be Propel then or Creole?).
>
>JavaScript, unwanted HTML, etc. should be handled by the module that
>handles the post (or whatever data is being processed), as it may be
>acceptable for one module, but unacceptable for another.
>  
>

That's understandable.  However, it is worth noting a few things:

1) As a GL2 standard, any custom sql (i.e. that not automatically 
created by propel) must be in a prepared statement format.  This 
standard automatically makes GL2 less vulnerable (read the section "Why 
use prepared statements" on this page:

http://dev.mysql.com/tech-resources/articles/4.1/prepared-statements.html

Now, I realize this is MySQL specific and I hope to maintain DB 
independence but nearly all 'real' DBMS support some form of prepared 
statements.

2) Saving using the save() method on the Propel generated domain objects 
all get converted to prepared statements.  So, not to be naive, SQL 
injection may still be possible but it should be considerably harder for 
a programmer in GL2 to allow for such a thing to happen.

That only takes care of, to a large degree, SQL injections.  All your 
other points are valid and I think that having a single class with a 
bunch of atomic filter methods for various things (i.e. javascript, 
html, etc) makes sense at the kernel level...not necessarily at the 
plugin level.  I only say that because if we have at least a base 
filtering class in the kernel, each plugin can override it as needed (in 
fact, I think this makes sense as a 1.3.x enhancement).

And if I heard right, Blaine will be doing a draft of this class, no? 

--Tony




More information about the geeklog-devel mailing list