in order to implement a custom sql function named getUserName and getPassword from an input url, im trying to find a way to extract the user name and password from a given url using regex.
the code will be executing on snowflake sql flavor language so my coding tools are limited to sql functions and regex supported by snowflake.
i can find the url scheme and the domain/host, get their indexes and length, and extract as substring every thing in between to get the user name and password, the problem is that it wont work with many edge cases, can you suggest better methods/code execution?
this is an example url:
http://UserName123:P#$$:\/\/0rd#domain.co.uk:34567/3.0.1/file_name.txt?pn1:pv1&pn2:pv2#ref
this is the current regex used to identify the url scheme and domain:
(^[a-z0-9.-]+:\/\/)|((?:#)([a-z0-9.-]+))
this is an sql example of getting the scheme:
SPLIT_PART(REGEXP_SUBSTR(A, '^[a-z0-9.-]+://', 1, 1, 'c'), ':', 0) as split
Username and password in a URL are bad practice. URLs, along with the query string (and thus the passwords) will show up in server log files or it can leak/get stolen another way.
So, redesign is needed and not a solution to this problem.
I hope you find it good to know now instead of after solving the problem.
Related
I'm trying to secure a login endpoint by attempting to bypass the login that uses LDAP.
It employs a search query of "cn=" + username + ", dc=example, dc=com" with a filter of "(objectClass=*)".
Is an LDAP injection attack possible here with username? Obviously, I will eventually escape all the queries and filters.
LDAP injection attacks can't do anything useful.
In your case, you're injecting the user input into the base DN (also called "search root") of the search. The base DN must be a valid DN (distinguished name). Any attempt at injecting some clever value there will likely result in something that is not a valid DN, and the search will fail (or return nothing). Even if it did result in a valid DN, I assume you are still asking for the user's password, so they'd have to know the password for that account.
But if you want to prevent that, just replace , in the input to \,. That's likely something you should do anyway, since if the account has a comma in the name, it will be escaped like that in the DN. This is an odd way of doing it though. Usually the base DN would always be the same and you would use the search filter to find the right account (i.e. (&(objectClass=user)(cn={whatever})))
If you are injecting user input into the search filter, the end user could change the query, but there is still nothing useful that can be done since the query can only read values. (although you can still protect against that if you want by escaping ( and ) with \28 and \29)
LDAP queries are not like SQL, where an injection attack can end the SELECT statement and begin another statement.
A somewhat odd Postgresql question for our highly specific use case. We have a table which accepts URLs as a part of a comment input from our users. This is on a highly trafficked site. We had some PHP code that was validating that users only entered correctly-formed URLs, if they included one in their comment (usually comment text does not include any URLs).
However, sadly, our PHP is old on an old server. So at some point the ereg logic we had became dysfunctional. Which means miscreant users have had a field day entering comments with badly formed URLs like the following:
l%20are%20generally%20included%20almost%20anyplace--even%20if%20your%20"yard"%20is%20bound%20to%20an%20outdoor%20patio%20or%20balcony.Adding%20water%20to%20your%20patio%20could%20be%20as%20simple%20as%20aiming%20a%20low%20dish%20of%20water%20designed%20for%20use%20in%20the%20form%20of%20birdbath.Any%20cursory%20container%20around%206%20in%20.wide%20and%20a%20half-inch%20deep%20will%20attempt%20to%20work.Pie%20pans,%20garbage%20can%20lids,%20or%20flo
Note that it's not a URL at all. Hence, our question: is there a Postgresql-only way, perhaps through some PL/SQL function or some stored function or something, that we can use to delete all these rubbish records from our database? We'd ideally not want to use a PHP program that went through the entire database and checked it against the valid URL pattern.
We'd like to execute this within PG itself. We can take the database offline to perform this task for as long as it takes.
Thank you!
SELECT * FROM table WHERE url_column !~* '(https?|ftp)://(-\.)?([^\s/?\.#-]+\.?)+(/[^\s]*)?'
Try this query, validate the output en then you could create a DELETE query with this example.
I'm writing an R application in which I'm interacting with a SQL database using the RODBC package. I'm looking up items in the database based on columns in a .csv file. Although I have no reason to expect malicious content in these files, I'd much rather be safe than sorry.
How do you sanitize user input for use in a SQL query in R? In most languages I've come across, there were libraries that would accept a string, and return a sanitized string back to you. Does anything like that exist in R?
You could always use regular expressions to construct an accepted pattern and remove the cases that don't match.
I'd try that to be in full control. Don't know of any ready made checks.
I've seen it's possible to get into website's sql database just by typing certain sql lines into browser's address bar.How is this even possible? Shouldn't address bar only redirect us to website? How's that address bar can accept sql syntax? I'm total layman to browsers itselves, but it fascinates me that address bars offer vulnerabilites.
How is this even possible?
The application is executing arbitrary SQL that is read from the URL. Think http://example.com/search.php?query=SELECT%20....
Shouldn't address bar only redirect us to website?
That's exactly what it's doing. The vulnerability is in the website's handling of that URL.
How's that address bar can accept sql syntax?
The SQL query is just text that's part of a URL. The address bar doesn't know (or care) that your URL contains SQL.
Are you going to use the answer to this question for good, or for evil?
In any case, assume you have a url in the form
http://mysite.com/dosomething?email=$EMAIL
And you have some code that executes a query that looks like this:
SELECT fieldlist
FROM table
WHERE field = '$EMAIL';
Then this page explains how someone can manipulate the contents of EMAIL to execute essentially an arbitrary query:
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).
For example let's say that you have a textField that receives a value and then assign that value to variable username, then you have a statement that receives the valor, and it concatenates the value to a string representing your query like this:
statement = "SELECT * FROM users WHERE name = '" + userName + "';"
let's say that the value that you are passing it's something like this ' or '1'='1 this example could be used to force the selection of a valid username because the evaluation of '1'='1' is always true. This only an example! check this site in order to learn more about it
I have several domain names saved in database in idn format ("xn--"). I want to run some statistics queries, but have problem to count characters on these domain names
SELECT
dom_name,
char_length(dom_name) as raw_length, -- counted with zone extension for now
FROM
my_domains_table;
Ofcourse i have mistake about "xn--" domains, and i wanted to get count from sql (not using php further or some other language).
Or, please, give me some advice how to do it better.
-
In first save domain names into table in UTF-8 would be great, but this is not an option right now :)
If you can install untrusted languages to your database, like PL/PerlU or PL/PythonU, then you can create punycode_decode function using Net::IDN::Encode perl module or decode('idna') python string class member function.
If you don't, then you'd need to implement it using pl/pgsql, which won't be easy.