Re: Sanitise user input for a script

Liste des GroupesRevenir à cl python 
Sujet : Re: Sanitise user input for a script
De : list1 (at) *nospam* tompassin.net (Thomas Passin)
Groupes : comp.lang.python
Date : 30. Aug 2024, 23:35:59
Autres entêtes
Message-ID : <mailman.19.1725057954.2917.python-list@python.org>
References : 1 2
User-Agent : Mozilla Thunderbird
On 8/30/2024 3:18 PM, Simon Connah via Python-list wrote:
I need to write a script that will take some user input (supplied on a website) and then execute a Python script on a host via SSH. I'm curious what the best options are for protecting against malicious input in much the smae way as you sanitise SQL to protect against SQL injections.
You should never, never, never "sanitize" SQL. Use prepared statements instead.
What kind of user input do you expect to get that would need to be "sanitized"? How are you going to use it such that malicious input might cause trouble?  I hope you aren't planning to exec() it.  Are you expecting a user to send in a script and your server will execute it? Better read up on sandboxing, then.
If you won't be exec()ing a script, then you can consider creating an API where each method of the API can only do limited things, and only with certain parameters not all of all them. The SSH message can include the name of the method to use.
And follow what Peter Holzer wrote.  Don't forget that quoting practices are not the same between Windows and Linux.

I could do it either on the website itself or by doing it on the host machine.
 I'm thinking of using argparse but I'm aware it does not offer any protection itself.
 If someone has any suggestions I'd appreciated it. If you need more information then please let me know.
 Simon.
 

Date Sujet#  Auteur
31 Aug 24 o Re: Sanitise user input for a script1Thomas Passin

Haut de la page

Les messages affichés proviennent d'usenet.

NewsPortal