On Fri, 2006-06-30 at 11:08 +0800, Timothy White wrote:
On 6/28/06, Timothy White <weirdit@gmail.com> wrote:
I just realised that it may be possible to exploit the snprintf and send strange commands to the server, for this reason, the user that the plugin uses, should only be able to run the 2 procedure's. I have no idea how to make this secure, or if it is secure or not. Any ideas? (e.g. snprintf(query, 20+MAXSIGLEN, "CALL SPAM(\"%s\")", signature); If someone modifies the header, as long as it's within the MAXSIGLEN then they can effect the query?)
Anyone got ideas/comments on this?
#include "strescape.h"
query = t_strdup_printf("CALL SPAM(\"%s\")", str_escape(signature));
And maybe put t_push() and t_pop() calls somewhere so that when copying lots of messages it doesn't temporarily use too much memory (the query's memory is valid until t_pop() is called).
Although the str_escape() isn't the right way to do it. mysql_real_escape_string() would be better. But anyway rather than using MySQL directly you could use sql-api.h. Then you could also use sql_escape_string() which is easier. :)