Check for SQL injection

[jhakala]

It seems the code allows SQL injection. For example, one can insert additional SQL into the run numbers:
e.g.
http://hcalmon.cms/cgi-bin/RunInfoDiffer/viewDiffer.py?runnumber1=300363&runnumber2=300364
versus
http://hcalmon.cms/cgi-bin/RunInfoDiffer/viewDiffer.py?runnumber1=300363%20AND%20name=%27CMS.HCAL_HBHEc:CFGDOC_TXT%27&runnumber2=300364%20AND%20name=%27CMS.HCAL_HBHEc:CFGDOC_TXT%27

This example is relatively harmless, but in principle SQL injection could cause problems in the web server of the app as well as in the database backend.

[CiaranGodfrey]

Would this still be possible if I changed from get to post for HTTP method. SQL injection doesn't work through the actual interface, if I removed the info from the URL would there still be a way to do it?

[jhakala]

I'm not sure if it would make a difference if you changed from get to post -- I'd bet it would still be possible. (And FWIW, the interface only puts a browser-level protection against the SQL injection -- the html5 input field wants an integer, assuming you have a cooperative browser, but it's not hard to avoid... see the below screenshot).

Probably the better way to do this is to validate the input from the form. E.g., you could check whether the run number supplied is valid here: https://github.com/HCALRunControl/RunInfoDiffer/blob/master/viewDiffer.py#L35

[kakwok]

I agree we should validate the input, which should be easy and effective.

[CiaranGodfrey]

Okay I'll do that

[CiaranGodfrey]

I believe this is solved can I close this issue

[jhakala]

Could a check that run number > 0 be added? The database has some issues with run number 0; there is a lot of junk in the database with the [fake] run number 0 and it takes a very long time to query it.