Sanitising/Escaping queries

[Simon Krämer]

Hello,

when assembling a query I sometimes use parameters passed more or less directly from a client request. Since I know this is not good practice in general I'd like to know how, if using RedBean, I should (or shouldn't) sanitise/escape my queries. I know it is using PDO's prepare() function internally, but I'm not sure it does any automatic validation/sanitising when getting a fixed SQL string.

Thanks!

[gabor]

Hi,

As long as you pass the input to the slots there should be no reason for concern.
However, to be sure, can you send me an example?

cheers
Gabor

[Simon Krämer]

Hello Gabor,

what I'm doing is assembling a conditional query string, the conditions are assembled on the client-side in a small Javascript framework. While I could sanitise the values on the client side that would not protect me against malicious users that fabricate special requests. On the server side a fixed SQL string is assembled and passed on to R::find(). I suspect from this point on there will be no (automated) validation of the SQL query? I'm thinking about things like 'DROP DATABASE' or reading fields that aren't meant to be public or executing any arbitrary SQL queries. If this is the case, is there some sort of best practice how to sanitise a SQL condition string like this?

Simon

[gabor]

Hi,

I fear this is quite hard to secure.
I recommend not to make JS send ready-to-use SQL to the server.
If you really want this, either use a security aware SQL parser or 'compile' your Javascript-SQL into prepared statements (for instance replace the SQL snippets with hashes of the SQL stored in the database).

cheers
Gabor