Input Sanitization with libpq / libpqxx

Question

I'm just getting started implementing some client software for a PostgreSQL database.

The queries will allow input parameters that come from an untrusted source. Therefore I need to sanitize my transactions before actually commiting them.

As for libpq I've found PQescapeStringConn, that may do want I need. However, as my code will be written in C++, I'd prefer to use a libpqxx equivalent. I could not find anything related. (Except probably the Escaper, which however lies in the internal namespace...)

I'd appreciate any suggestions on best practices, reading, links to the documentation, whatever.

Answer 1

Using pqxx::transaction_base::quote is the way to go.

Here's a simple example:

// connection to the database
std::string login_str = "TODO: add credentials";
pqxx::connection conn(login_str);
pqxx::work txn(conn);

// a potentially dangerous input string
std::string input = "blah'; drop table persons; --";

// no proper escaping is used
std::string sql_1 = "select * from persons where lastname = '%s'";
std::cout << boost::format(sql_1) % input << std::endl;

// this is how it's done
std::string sql_2 = "select * from persons where lastname = %s";
std::cout << boost::format(sql_2) % txn.quote(input) << std::endl;  

The output is:

select * from persons where lastname = 'blah'; drop table persons; --'
select * from persons where lastname = 'blah''; drop table persons; --'

For reference:

• http://pqxx.org/devprojects/libpqxx/doc/development/Reference/a00196.html#details

Answer 2

Actually in order to give a better view, I was having an issue with this kind of things this week and we started using std::string pqxx::transaction_base::esc

You just have to add it in the argument you going to insert or update, and it will do the job. The quote function mentioned up there, its add the quote to the argument, but it does not fix the problem.

For example; if you do something like UPDATE person set name = w.quote(name) where id = 1; There you are using the quote correctly in order to put between quotes the argument. So in order to insert a single quote or avoid SQL Injection, you have to do: UPDATE person set name = + "'" + w.esc(name) + "'" where id = 1 OR UPDATE person set name = w.quote(w.esc(name)) where id = 1; Being W the pqxx::work variable already initialized with the connection to the database.