CSE 115. Introduction to Computer Science I

Size: px

Start display at page:

Download "CSE 115. Introduction to Computer Science I"

Camron Stephens
5 years ago
Views:

1 CSE 115 Introduction to Computer Science I

2 Road map Review HTML injection SQL injection

3 Persisting data Central Processing Unit CPU Random Access Memory RAM persistent storage (e.g. file or database)

4 Persisting data text file - stream of characters CSV file - fields separated by comma database - can support highly efficient operations on data

5 SQLite import sqlite3 conn = sqlite3.connect('atest.db') cur = conn.cursor() do things to database conn.commit() conn.close()

6 Changes to add_song def add_song(song): #{"song_id": song_id, "title": title, "artist": artist} if songnotvalid(song) or songidalreadyexists(song['song_id']) return with open(songs_filename, "a") as file: writer = csv.writer(file) writer.writerow([song['song_id'], song['title'], song['artist']]) def insertsong(song): cur.execute('insert INTO songs VALUES (?,?,?)', (song['song_id'], song['title'], song['artist'])) Now we can migrate from CSV to SQLite

7 Changes to add_song def add_song(song): #{"song_id": song_id, "title": title, "artist": artist} if songnotvalid(song) or songidalreadyexists(song['song_id']) return insertsong(song) conn.commit() def insertsong(song): cur.execute('insert INTO songs VALUES (?,?,?)', (song['song_id'], song['title'], song['artist'])) Define insertsong function to construct SQL command.

8 Changes to ratings.py def rate_song(song_rating): #{"song_id": song_id, "rating": rating} if ratingnotvalid(rating) or not songidalreadyexists(rating['song_id']): return with open(ratings_filename, "a") as file: writer = csv.writer(file) writer.writerow([song_rating['song_id'], song_rating['rating']]) Migrate from CSV to SQLite

9 Changes to ratings.py def rate_song(song_rating): #{"song_id": song_id, "rating": rating} if ratingnotvalid(rating) or not songidalreadyexists(rating['song_id']): return insertrating(rating) conn.commit() def insertrating(rating): cur.execute('insert INTO ratings VALUES (?,?)', (rating['song_id'], rating['rating'])) Migrate from CSV to SQLite

10 Road map Review HTML injection SQL injection

11 HTML injection User can type any text into a text field. If that text is incorporated into the HTML rendered by the browser, then a user could 'inject' HTML. In the application, see what happens when this text is entered as both an "Unsafe review" and a "Safe review": <b>some bold text</b>

12 HTML injection User can type any text into a text field. What about this scary but in effect harmless HTML: <button onclick="alert('you\'ve been hacked!!');">click This</button>

13 HTML injection User can type any text into a text field. How about this more nefarious HTML? <!--

14 HTML injection User can type any text into a text field. Or some HTML which makes the browser redirect to a different site.

15 HTML injection User can type any text into a text field. Or this HTML which makes the browser redirect to a different site: <META HTTP-EQUIV="refresh" CONTENT="1;url=

16 HTML injection prevention User can type any text into a text field. Don't incorporate directly. Use an HTML escape mechanism which allows us to distinguish data from program. Characters like are encoded as < > & " < > & "

17 HTML injection prevention In our ratings.py code: re = rating['review'] re = html.escape(re)

18 Road map Review HTML injection SQL injection

19 SQL injection User can type any text into a text field. The application has a search feature that allows a user to retrieve all the songs by a particular artist. Suppose the user enters Boston in the search box - what do we expect to see?

20 SQL injection User can type any text into a text field. The application has a search feature that allows a user to retrieve all the songs by a particular artist. Suppose the user enters Boston in the search box - we'll see a listing of the songs by the artist Boston: More than a feeling - Boston Something about you - Boston

21 SQL injection User can type any text into a text field. If that text is incorporated into the SQL executed by our database engine, bad things can happen. ' OR '1'='1' starts a comment in SQL causes rest of SQL in command to be ignored

22 SQL injection The SQL command DROP TABLE somename removes the table whose name is somename, as in DROP TABLE songs or DROP TABLE ratings

23 SQL injection What would this do if we typed it into our search field? Boston'; DROP TABLE songs; -- ; separates commands in SQL

24 SQL injection It turns out nothing, because the execute function does not permit multiple commands.

SQL injection prevention As a function with safe substitution def insert(title, director, year): cur.execute('insert INTO movies VALUES (?,?,?)', (title, director, year)) '?

26 SQL injection prevention As a function with safe substitution def insert(title, director, year): cur.execute('insert INTO movies VALUES (?,?,?)', (title, director, year)) '?' is a placeholder that is used for safe replacement: parameter substitution. Usually your SQL operations will need to use values from Python variables. You shouldn t assemble your query using Python s string operations because doing so is insecure; it makes your program vulnerable to an SQL injection attack (see for humorous example of what can go wrong). Instead, use the DB-API s parameter substitution. Put? as a placeholder wherever you want to use a value, and then provide a tuple of values as the second argument to the cursor s execute() method.

CSE 115. Introduction to Computer Science I

CSE 115. Introduction to Computer Science I CSE 115 Introduction to Computer Science I Road map Review (sorting) Persisting data Databases Sorting Given a sequence of values that can be ordered, sorting involves rearranging these values so they