3

In PHP (and MySQL) we have a host of techniques for ensuring that the data entered is valid and safe. Adding slashes, MySQL's escape string and regex are a few we often use.

I've seen THIS LINK that gives a very preliminary introduction to the subject but it is probably not complete or up-to-date.

My questions:

  1. Does Lazarus/FPC offer such features?

  2. What does Delphi offer? At least some clues or function names may give me an idea so that I may build it for Lazarus.

Thanks!

itsols
  • 5,406
  • 7
  • 51
  • 95

2 Answers2

6

In almost any framework most reliable way to guard against bad data is not to try to escape it, but to simply always use prepared statements.

Lazarus/FreePascal is not an exception to this rule - see some examples how to use prepared statements in FreePascal.

mvp
  • 111,019
  • 13
  • 122
  • 148
4

This question appears to be entirely about injection. And you defend against that by passing all user data to the DB using parameters. When you do this there's no need to escape anything. Don't be tempted to tackle this problem in any other way.

David Heffernan
  • 601,492
  • 42
  • 1,072
  • 1,490
  • By **database framework** do you mean the DBMS? If so, I'm not so sure of that. We've always had to escape or do some additional formatting to work with MySQL in the last 6 years. Only now, some of these offer some additional functionality by default. I've successfully broken my own database apps without these 'extras'. – itsols Dec 18 '12 at 11:55
  • Not the DBMS. The layers above that. User data is always passed to the database via parameters. Also known as [prepared statements](http://en.wikipedia.org/wiki/Prepared_statement). I'm sure you used those in PHP. And the database components that you use in Delphi (and PHP) don't require you to escape the parameters. – David Heffernan Dec 18 '12 at 11:59
  • @DavidHaffernan By parameters in Delphi/Lazarus do you mean something like this: **dbQuery.Params.ParamByName('pCode').AsString := pField;** – itsols Dec 18 '12 at 12:05
  • Exactly. The answer of @mvp says much the same and gives you a useful link. – David Heffernan Dec 18 '12 at 12:07
  • How do you protect against injection in your PHP code? Presumably you use parameters/prepared statements there. – David Heffernan Dec 18 '12 at 12:07
  • @DavidHaffernan With PHP using the older versions, we just addslashes/mysql_real_escape_string when using classic PHP code. But with frameworks like CodeIgniter, we opted for preparing statements. And with Lazarus, I used the parameters in the beginning (not knowing it's real use). But later (ignorantly) I found it too much work and built my string for the query using the **format** function that I found easier and more like C/C++. So I guess the formatting method is not the best way to go... And wow, do I have a lot to change! – itsols Dec 18 '12 at 12:14
  • All sound advice is that you use prepared statements everywhere. Never ever ever try to escape user data. That's just begging for injection attacks. – David Heffernan Dec 18 '12 at 12:15
  • Thanks for your inputs! BTW,have you any idea about the availability of regex in Delphi/Lazarus? Seems like Lazarus doesn't support it yet. But what aobut Delphi? – itsols Dec 18 '12 at 12:17
  • 1
    Since XE there is a regex class built in to Delphi. As for FPC try here: http://wiki.freepascal.org/Regexpr – David Heffernan Dec 18 '12 at 12:19
  • 1
    Jedi Code Library had a wrapper for PCRE library, it should also work in FPC 2.4 and recently untested patches were sent for FPC 2.6 PCRE library has its own Delphi wrapper, dunno if it works with FPC as well or you would need to find different API for FPC – Arioch 'The Dec 18 '12 at 12:22
  • @Arioch'The Thanks for your inputs as well. As it is, I find Lazarus (not sure about Delphi) to be slow/bloated. I'm trying to code everything internally as far as possible and avoid 3rd party units/libs. It may not be the best option but this is what I'm trying to achieve. Despite all the debate about stripping code and related ways of keeping code size small, and despite being an old Pascal fan, I must admit that Lazarus does produce heavy code. Thanks anyway for your tips. – itsols Dec 18 '12 at 12:28
  • Hey, if you really is NIH addict - you should not use RegExp libraries (even if Delphi/FPC contain them) but implement it. Same goes for VCL/LCL. You can not practically develop application without re-using other people code. And RegExp libs are nothing exceptional here, find and use them just like u use VCL. – Arioch 'The Dec 18 '12 at 12:36