[ic] "==" and "!=" as DB field values

Stefan Hornburg racke at linuxia.de
Tue Oct 28 09:50:12 EST 2003

On Mon, 27 Oct 2003 12:16:27 -0800
Peter <peter at pajamian.dhs.org> wrote:

> Grant wrote:
> >>Most problems with content of the field would mostly occur with control 
> >>characters (ascii less than 32) and characters that need escaping in SQL 
> >>strings.
> >>
> >>Behaviour for control characters within a string is undefined (what does 
> >>SQL do if there is a carriage return or newline in a string before the 
> >>string is terminated?).
> >>
> >>In SQL statements, strings are enclosed between apostrophes ('), so if 
> >>your strings contain apostrophes and you want to send them to an SQL 
> >>field, you need escape them by doubling them, otherwise the first 
> >>apostrophe in your string will be considered to be string terminator. In 
> >>the best case this would cause incorrect SQL syntax; in the worst case, 
> >>an improperly escaped apostrophe can compromise the security of your 
> >>application.
> Doesn't IC escape these automatically via the DBI quote function or via 
> '?'-type parameters?

Yes, in the most cases. You need to take care of that if you are calling
the query method from embedded Perl like:

$Db{products}->query("select * from products where name = '$CGI->{foo}'");

=> that's unsafe IMHO


LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team

More information about the interchange-users mailing list