Re: Change in datetime type casting

From: Federico Di Gregorio <fog(at)dndg(dot)it>
To: psycopg(at)postgresql(dot)org
Subject: Re: Change in datetime type casting
Date: 2012-07-02 08:24:44
Message-ID: 4FF15ACC.7010203@dndg.it
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: psycopg

On 29/06/12 23:36, Daniele Varrazzo wrote:
>> test=> INSERT INTO bool_test VALUES (34,'True');
>> > INSERT 0 1
> You are only thinking about half of the story: writing stuff in. I am
> thinking about the people who will have to read things out. Writing
> "True" as a boolean, not only you are giving people the problem of
> knowing the type, you are also adding an entirely different
> representation of a boolean into the database that any wannabe user of
> that hstore value will have to know. Which is good as any other (but
> less good than the only *output* postgres provides), and binds us,
> hands and feet, to maintain that one.
>
> It may eventually happen in the future that we will allow any type
> into an hstore, but that their conversion will be str() will just not
> happen.
>
> But then, what about the keys? Shall we convert them too or not? If
> so, what about the dict {1: 'hello', '1': 'world'}: how do you convert
> it into an hstore?

Hi *,

I investigated the problem a little bit during the weekend and tried
with some "dumb" conversions, like using adapt() and then removing the
cast from the resulting string (and adding an E' before the whole string
if any of the strings had it). It works, barely, and it is a #?^!£$% hack.

After writing the code I guessed at least a couple of ways of mixing
different data types to produce a string with the wrong quoting. That's
still not valid SQL-injection but not far from it.

So, from a security standpoint, I see 2 answers to this problem:

1) Convert everything to string (using str()) and then quote that to
build the hstore data. I don't like this but at least it is safe.

2) Throw an exception if keys/values aren't strings and force the user
to convert the data before trying to send it to the hstore.

I am starting to think that (2) is the only sane solution.

federico

--
Federico Di Gregorio federico(dot)digregorio(at)dndg(dot)it
Studio Associato Di Nunzio e Di Gregorio http://dndg.it
Il panda ha l'apparato digerente di un carnivoro (e.g., di un orso).
Il panda ha scelto di cibarsi esclusivamente di germogli di bambù.
Quindi, il panda è l'unico animale vegano del pianeta. Il panda
merita di estinguersi. -- Maria, Alice, Federico

In response to

Responses

Browse psycopg by date

  From Date Subject
Next Message Daniele Varrazzo 2012-07-03 01:25:49 Re: Change in datetime type casting
Previous Message Richard Harley 2012-07-01 16:05:06 Strange Behaviour in Zope 2.10/PG9