[ic] sql filter not 100% safe for MySQL
John1
list_subscriber at yahoo.co.uk
Sat Jul 24 08:05:55 EDT 2004
The sql filter doubles up and single quotes to avoid single quotes ruining a
query and protect against sql injection.
However, as you may also escape single quotes i.e. \' it is still possible
to trip up a query.
e.g. \'' (this is 2 single quotes not a double quote), would be converted to
\''''
So, I use my own filter that escapes backslashes and single-quotes:
CodeDef mysql Filter
CodeDef mysql Routine <<EOR
sub {
my $val = shift;
$val =~ s/\\/\\\\/g;
$val =~ s:':\\':g;
return $val;
}
EOR
Perhaps the built-in sql filter would be better replaced with something
along these lines?
BTW, I assume that the [query] tag will only accept one sql statement. i.e.
Can you do [query sql="select * from products;delete from some_table;"]
If multiple statements in a [query] tag are allowed then \''; (again this is
2 single quotes here, not a double quote), would allow for SQL injection
even if the built-in sql filter is in use. I'd be grateful if someone could
confirm whether or not multiple SQL statements are accepted by a [query]
tag. Thanks
More information about the interchange-users
mailing list