Hello,
How to write secure queries when the queried text nodes contain ampersands? For instance:
declare variable $publisher external; (: $pub == 'Faber & Faber' :) declare variable $db := db:open('db');
let $records := $db/record/publisher[. = $publisher] (: publisher == 'Faber & Faber' :)
The external variable is unsafe input, escaped by the sending application. Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.
How to proceed in a secure way?
Hi trichel,
Which API are you using to bind the external variables to your query before evaluating it?
Best, Christian
trichel trichel@protonmail.com schrieb am So., 26. Juni 2022, 18:58:
Hello,
How to write secure queries when the queried text nodes contain ampersands? For instance:
declare variable $publisher external; (: $pub == 'Faber & Faber' :) declare variable $db := db:open('db');
let $records := $db/record/publisher[. = $publisher] (: publisher == 'Faber & Faber' :)
The external variable is unsafe input, escaped by the sending application. Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.
How to proceed in a secure way?
Hi Christian,
I'm using the GET method from the Basex Rest API. Up until now I simply removed ampersands from a query, just to be safe.
Laurent
------- Original Message ------- On Sunday, June 26th, 2022 at 7:02 PM, Christian Grün christian.gruen@gmail.com wrote:
Hi trichel, Which API are you using to bind the external variables to your query before evaluating it?
Best, Christian
trichel trichel@protonmail.com schrieb am So., 26. Juni 2022, 18:58:
Hello,
How to write secure queries when the queried text nodes contain ampersands? For instance:
declare variable $publisher external; (: $pub == 'Faber & Faber' :) declare variable $db := db:open('db');
let $records := $db/record/publisher[. = $publisher] (: publisher == 'Faber & Faber' :)
The external variable is unsafe input, escaped by the sending application. Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.
How to proceed in a secure way?
With the REST API, you'll be fine. The passed on value will be bound as string, and the original query won't be modified.
trichel trichel@protonmail.com schrieb am So., 26. Juni 2022, 19:15:
Hi Christian,
I'm using the GET method from the Basex Rest API. Up until now I simply removed ampersands from a query, just to be safe.
Laurent
------- Original Message ------- On Sunday, June 26th, 2022 at 7:02 PM, Christian Grün < christian.gruen@gmail.com> wrote:
Hi trichel, Which API are you using to bind the external variables to your query
before evaluating it?
Best, Christian
trichel trichel@protonmail.com schrieb am So., 26. Juni 2022, 18:58:
Hello,
How to write secure queries when the queried text nodes contain
ampersands? For instance:
declare variable $publisher external; (: $pub == 'Faber & Faber' :) declare variable $db := db:open('db');
let $records := $db/record/publisher[. = $publisher] (: publisher ==
'Faber & Faber' :)
The external variable is unsafe input, escaped by the sending
application.
Escaping the ampersand in the external variable with & (& a m p ;)
doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.
How to proceed in a secure way?
BaseX just always surprises in a positive way. I've been worrying all this time about injection attacks, which I will continue to do, but now in a different way ...
Thanks Christian
Sent with Proton Mail secure email.
------- Original Message ------- On Sunday, June 26th, 2022 at 7:21 PM, Christian Grün christian.gruen@gmail.com wrote:
With the REST API, you'll be fine. The passed on value will be bound as string, and the original query won't be modified.
trichel trichel@protonmail.com schrieb am So., 26. Juni 2022, 19:15:
Hi Christian,
I'm using the GET method from the Basex Rest API. Up until now I simply removed ampersands from a query, just to be safe.
Laurent
------- Original Message ------- On Sunday, June 26th, 2022 at 7:02 PM, Christian Grün christian.gruen@gmail.com wrote:
Hi trichel, Which API are you using to bind the external variables to your query before evaluating it?
Best, Christian
trichel trichel@protonmail.com schrieb am So., 26. Juni 2022, 18:58:
Hello,
How to write secure queries when the queried text nodes contain ampersands? For instance:
declare variable $publisher external; (: $pub == 'Faber & Faber' :) declare variable $db := db:open('db');
let $records := $db/record/publisher[. = $publisher] (: publisher == 'Faber & Faber' :)
The external variable is unsafe input, escaped by the sending application. Escaping the ampersand in the external variable with & (& a m p ;) doesn't work, Basex stops finding hits. Just letting the ampersand pass might expose the code to injection attacks? I could switch to a full-text query and remove the ampersand from the external variable, but that's a bit hackish. The expression is exact.
How to proceed in a secure way?
basex-talk@mailman.uni-konstanz.de
-
Christian Grün -
trichel