Our great sponsors
-
-
WordPress
WordPress, Git-ified. This repository is just a mirror of the WordPress subversion repository. Please do not send pull requests. Submit pull requests to https://github.com/WordPress/wordpress-develop and patches to https://core.trac.wordpress.org/ instead.
-
SurveyJS
Open-Source JSON Form Builder to Create Dynamic Forms Right in Your App. With SurveyJS form UI libraries, you can build and style forms in a fully-integrated drag & drop form builder, render them in your JS app, and store form submission data in any backend, inc. PHP, ASP.NET Core, and Node.js.
-
go-sql-driver/mysql
Go MySQL Driver is a MySQL driver for Go's (golang) database/sql package (by go-sql-driver)
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
As a security professional, I was horrified to find out that the maintainers don't consider this a security issue, though they did promise to take this seriously and change the API when they were made aware of it in 2014 (https://github.com/mysqljs/mysql/issues/731).
So I bumped an issue, noting this is all over HN, and offered to write a pull request for the API change proposed by the maintainers:
https://github.com/mysqljs/sqlstring/issues/60
Doug agreed to accept such a request, so I just sat down to figure out the code and a reasonable upgrade plan.
Three hours later, I proudly wrote Doug this email (pasting it here because the issue and codebase are locked to non-contributors so I had to send it via email):
OK, I have a draft pull request ready. Of course, it's a big change and I expect to get a lot of feedback and have a few rounds of back and forth and fixups before it is accepted.
This is the plan as I envision it:
* Release SqlString 3.0.0 that has a new allowObjectValues parameter defaulting to false. This is a new major, so it shouldn't break anybody's code.
Wordpress also has faked paramaterized queries.
https://github.com/WordPress/WordPress/blob/4ae0744585ea9417...
> mysql_real_escape_string is still vulnerable when being used with some exotic character sets
Indeed -- mysql_real_escape_string "mostly" fixes this problem by requiring a connection as one of its args, and since it's usually aware of the connection state, it can check that to see if one of those exotic charsets is in-use. But the problem is that there are multiple ways to change the connection charset, some of which the driver is aware of (e.g. in PHP mysqli set_charset) but some it is not (running textual statements like SET NAMES or SET CHARACTER SET).
But generally an attacker won't ever have the ability to set an arbitrary exotic character set for the connection, unless they already have some other sql injection mechanism, in which case it's a moot point :)
Driver documentation also typically mentions this problem. For example, here's the doc for doing client-side param interpolation in the most popular MySQL driver for Golang: https://github.com/go-sql-driver/mysql#interpolateparams
It also explicitly detects if your initial connection settings attempt to use one of those charsets along with param interpolation, and throws an error if so: https://github.com/go-sql-driver/mysql/blob/21f789cd/dsn.go#...
> Couldn't one just save the extra round-trip with length-prefixed strings by sending the query together with the parameters in a single message?
AFAIK, no, not with the traditional MySQL binary protocol. The newer "X protocol" introduced in MySQL 5.7 does allow this, but it is not widely implemented in drivers.
As a security professional, I was horrified to find out that the maintainers don't consider this a security issue, though they did promise to take this seriously and change the API when they were made aware of it in 2014 (https://github.com/mysqljs/mysql/issues/731).
So I bumped an issue, noting this is all over HN, and offered to write a pull request for the API change proposed by the maintainers:
https://github.com/mysqljs/sqlstring/issues/60
Doug agreed to accept such a request, so I just sat down to figure out the code and a reasonable upgrade plan.
Three hours later, I proudly wrote Doug this email (pasting it here because the issue and codebase are locked to non-contributors so I had to send it via email):
OK, I have a draft pull request ready. Of course, it's a big change and I expect to get a lot of feedback and have a few rounds of back and forth and fixups before it is accepted.
This is the plan as I envision it:
* Release SqlString 3.0.0 that has a new allowObjectValues parameter defaulting to false. This is a new major, so it shouldn't break anybody's code.
* Release mysqljs 3.0 that changes the default and removes the deprecation warning, so new projects get a sane default.
This involves, of course, changes to two repositories, so here they are (I can't open pull requests because I have not contributed in the past):
https://github.com/SonOfLilit/sqlstring
https://github.com/SonOfLilit/mysql
(I didn't write the mysqljs3.0 patch yet to make pull request technicalities simpler, but it's trivial)
Again, I'm new to this project, am not a javascript developer in my day job, and I expect - and am prepared to handle - nontrivial amounts of feedback and requests for improvement.
For a brighter, safer future :-),