Prev: multiprocessing, SyncManager, dict() of Locks possible?
Next: some site login problem help plz..
From: Stef Mientki on 2 Oct 2009 14:53
hello,

I want to store some fields in an sqlite database.

I use ezPyCrypto to encrypt and decrypt:

User = ['z684684', 'Mientki, Stef', 1,1,0,1,1 ]

encryption_key_1 = ezPyCrypto.key ( 512 )

SQL_Base = 'insert or replace into __USERS__ values ('
for field in User :
SQL += ",'" + encryption_key_1.encString ( str ( item ))+ "'"
SQL += ')'


Now this fails, probably, because the second character of the encrypted
string is a binary zero.

By trial and error, I found a work around,
but I'm not sure this will garantee that it will work always:
by converting the encrypted buffer with base64.encode:

SQL += ",'" + base64.encodestring(EnCrypt_1 ( str ( item )))+ "'"

Will this method work always ?
Are there better methods ?

thanks,
Stef Mientki


From: Jonathan Gardner on 2 Oct 2009 16:37
On Oct 2, 11:53 am, Stef Mientki <stef.mien...(a)gmail.com> wrote:
>
> Will this method work always ?
> Are there better methods ?
>

I SQLite doesn't like raw data (with all its \0 glory), you're out of
luck, unfortunately. Base64 encoding is a really good solution for
places like this.

You are aware, of course, of the dangers of storing sensitive data in
memory? That is, if you are storing the sensitive data anywhere in a
Python variable, it is possible for someone with access to the memory
of the machine to discover it.

If it is only the storage of the sensitive data you are concerned
about, or the sensitivity of the data if it is transferred over the
network, there are other, easier ways to protect the data than in an
encrypted field.
From: Carsten Haese on 2 Oct 2009 16:41
Stef Mientki wrote:
> hello,
>
> I want to store some fields in an sqlite database.
>
> I use ezPyCrypto to encrypt and decrypt:
>
> User = ['z684684', 'Mientki, Stef', 1,1,0,1,1 ]
>
> encryption_key_1 = ezPyCrypto.key ( 512 )
>
> SQL_Base = 'insert or replace into __USERS__ values ('
> for field in User :
> SQL += ",'" + encryption_key_1.encString ( str ( item ))+ "'"
> SQL += ')'
>
>
> Now this fails, probably, because the second character of the encrypted
> string is a binary zero.
>
> By trial and error, I found a work around,
> but I'm not sure this will garantee that it will work always:
> by converting the encrypted buffer with base64.encode:
>
> SQL += ",'" + base64.encodestring(EnCrypt_1 ( str ( item )))+ "'"
>
> Will this method work always ?
> Are there better methods ?

There is definitely a better method! You should use parameter binding
instead of rolling the query by hand:

SQL = "insert or replace into __USERS__ values (?,?,?,?,?,?,?)"
params = [ encryption_key_1.encString(str(x)) for x in User ]
cur.execute(SQL, params)

That way, the parameters are passed separately and safely, and the query
syntax is protected from all the dangerous characters that are floating
around in the parameters.

HTH,

--
Carsten Haese
http://informixdb.sourceforge.net

 | 
Pages: 1
Prev: multiprocessing, SyncManager, dict() of Locks possible?
Next: some site login problem help plz..