Re: "Principle of least privilege" in accessing a DB from an app

On Sun, 13 Jan 2013 09:05:51 -0800 (PST), Isaac Perez
<isaac.perez.moncho@gmail.com> declaimed the following in
gmane.comp.python.django.user:

> What I intend to achieve is that if in any occasion we've got a sql
> injection for whatever the reason, the access to the DB from the app form
> will be as limited as possible.
>

You do THAT by not allowing user input directly into the SQL in the
first place. ALL proper DB-API compliant database adapters use
parameterized queries, and will properly escape and wrap the parameter
data to prevent injection attacks.

And, so far as I can tell, Django's ORM is even less susceptible
than direct DB-API to injection attacks, since besides passing user data
through the parameter system, it uses Python syntax to access the
relation attributes ("table columns").

If you are building raw SQL in which the user specifies both the
column and the value for that column, you need to design the interface
so that the column is never entered as text by the user, but is selected
from a pre-defined list of columns. This ensures that column (and even
table) names are clean for the building of the schema related part of
the SQL statement; the data values are, of course, then passed using the
DB-API parameter system and not "hand inserted" into the SQL.

If you follow these two criteria:
1) always use parameterized queries to pass user entered data
2) never use user entered text for schema entities when building dynamic
queries
you will not be subject to an SQL injection attack.
--
Wulfraed Dennis Lee Bieber AF6VN
wlfraed@ix.netcom.com HTTP://wlfraed.home.netcom.com/

--
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to django-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.