This page is not created by, affiliated with, or supported by Slack Technologies, Inc.
2022-03-21
Channels
- # announcements (13)
- # babashka (63)
- # babashka-sci-dev (64)
- # beginners (37)
- # biff (1)
- # calva (10)
- # cider (7)
- # clj-kondo (15)
- # cljsrn (6)
- # clojure (26)
- # clojure-dev (10)
- # clojure-europe (34)
- # clojure-france (9)
- # clojure-nl (2)
- # clojure-norway (36)
- # clojure-uk (5)
- # clojurescript (142)
- # community-development (1)
- # conjure (3)
- # datalevin (5)
- # datalog (2)
- # datomic (5)
- # events (11)
- # fulcro (40)
- # gratitude (9)
- # guix (32)
- # honeysql (10)
- # jobs (2)
- # lsp (32)
- # malli (15)
- # meander (5)
- # membrane (43)
- # missionary (3)
- # nextjournal (9)
- # off-topic (38)
- # pathom (3)
- # polylith (30)
- # portal (78)
- # programming-beginners (4)
- # quil (6)
- # re-frame (20)
- # reagent (21)
- # remote-jobs (2)
- # shadow-cljs (7)
- # tools-deps (6)
- # xtdb (23)
Im in a situation where I need to string up SQL that has user input (user will specify a table name and a column name), I can't seem to parameterize this with C# SQL ADO. SO I want to validate before I run it (avoid sql injection), am I safe to just make sure the user input doesnt contain ;
or go
? Only allow a-zA-Z\.\_-
?
The query will be off the form:
select top 1 {foo} from {bar} order by {foo} desc
Where user will supply foo
as column name and bar
as table name.You don't need to validate anything if you do proper escaping/quoting. Does the library that you're using have some API for escaping/quoting values?
It seems like it doesnt for table names and column names, e.g. this is safe
select Foo from Bar where Foo = @Foo
THen I can safely parameterize @Foo
with sqlCommand.Parameters.AddWithValue("@Foo", foo);
BUt again, doesnt work with table names or column namesThis sounds more appropriate: https://docs.microsoft.com/en-us/dotnet/api/system.data.sqlclient.sqlcommandbuilder.quoteidentifier?view=dotnet-plat-ext-6.0#system-data-sqlclient-sqlcommandbuilder-quoteidentifier(system-string)
I believe https://github.com/seancorfield/next-jdbc and https://github.com/seancorfield/honeysql does some sanitization. @U04V70XH6 might be able to elaborater
For now I'll just say read the docs. I'm on vacation.
But the tl;Dr is : use honeysql
The built-in HoneySQL facilities only quote identifiers - there's no escaping:
(sql/format {:update :table :set {"foo-bar" 1 "baz/quux] = (DELETE FROM users), [x" 2}} {:dialect :sqlserver})
["UPDATE [table] SET [foo-bar] = ?, [baz/quux] = (DELETE FROM users), [x] = ?" 1 2]
That is, I couldn't find it - maybe I'm missing something.The ?
Are sql parameters. They are fully escaped by definition
Oh, you're talking about the keys in the hash map? Gotcha.
There's some sanity checking on that but not much currently. Create a Github issue with that example and I'll give it some thought when I get back
Although I don't think escaping identifiers is something that's supposed to be solved by a tool like HoneySQL - sure, I'll open an issue. Have fun! :) Edit: done - https://github.com/seancorfield/honeysql/issues/394
Is it SQL server? If so you can use https://docs.microsoft.com/en-us/sql/t-sql/functions/quotename-transact-sql?view=sql-server-ver15 .
That would require a roundtrip to the DB or maybe coming up with very opaque statements. As I mentioned in the issue above, seems like escaping is rather simple if done along with quoting, so personally I'd go with that option.
It wouldn't, you would just construct + execute the SQL complete statement on the database server instead. For example:
declare @col sysname = 'id';
declare @table sysname = ';"] drop table users;';
declare @sql nvarchar(max) = (CONCAT('select top 1 ', QUOTENAME(@col), ' from ', QUOTENAME(@table)));
EXEC (@sql)
Where @col
and @table
could come from his C# code.Well yeah, that's exactly what I meant by "opaque". Instead of simple SELECT
you now have that monster.
Hmm seems pretty standard. But yea if he can easily validate it in C# I agree it is better. But then might need to replicate all of the ways to refer to tables in SQL Server, so might be more work.
Amazon delivery times are like windows file copy dialog. Package will be here today. Package will be here between 3 and 5 Package will be here between 3:15 and 5:15 Package will be here between 2 and 4 Package will be here before 10 PM
> "We tried to deliver the package yesterday, but you weren't home." This is how Ted Kaczynski's are born.
IF this were truly Windows, somewhere in your driveway is a stuck delivery agent who is asymptotically reaching your door
LOL @U013YN3T4DA. Your comment reminded me of another one recently. The commenter was talking about Yoko Ono’s singing on the Get Back documentary and he said “Yoko did for singers what John Wayne Gacy did for clowns”
It finally arrives, and its a wired mouse... I never even thought to check. I didn't think they even made wired mouse anymore.. fuck
I'm sorry for that, but it's also very funny. :D Of course they make such mice - plenty of reasons to prefer them.
THis is all to replace a mouse I lost somehow. I decided to go stay somewhere else for the weekend, but still needed to do some work so I took the work laptop and mouse. I distinctly remember picking up the mouse and switching it off, otherwise it might wake up laptop in the bag, which can be bad as it gets hot. THen I got to my destination and no mouse... I figured I must've picked it up, turned it off and stupidly put it back on desk... I get home on Sunday. No mouse here to be seen! It's just gone.
I can only assume I was burgled, but they left the computer, tv, watches, art etc and just took my mouse. Just to maximally annoy me.
Look at the bright side; I’d imagine it’s a lot harder to misplace a wired mouse :)
I wrote myself a little clojure and clojurescript app that scrapes delivery status information from usps, ups, and fedex and displays a list of packages with and estimated kph for how fast the package is going
and I just got enough data that I've started using it to do forecasts, if a package is in city A using the data I have generate 100 possible deliveries, then see what the distribution of how many days it takes a package to get from A to me is
we moved from a big suburb to a small town a while back, and delivery service, even accuracy of estimate delivery dates is way worse
The great thing about writing my own forecasting is I get a histogram(likely inaccurate) instead of a single delivery date
hope is happening in nyc this july! https://www.hope.net/
@p-himik In case you're curious, I tried Xephyr and had odd mixed success. Xephyr would render to XScreenSaver's preview window, but not into the root window. Instead it would pop under the blank screen and be left there after dismissing the screensaver. 😄
x-posting since off-topic contains the superset of all Clojurians and I have a talk due in 2 days and I'm hoping someone gets nerdsniped into "helping" me a la "https://xkcd.com/386/"... 😁 https://clojurians.slack.com/archives/C053AK3F9/p1647901593337189?thread_ts=1647626343.230609&cid=C053AK3F9