[ic] sql filter not 100% safe for MySQL

John1 list_subscriber at yahoo.co.uk
Sat Jul 24 08:05:55 EDT 2004

The sql filter doubles up and single quotes to avoid single quotes ruining a
query and protect against sql injection.

However, as you may also escape single quotes i.e. \'  it is still possible
to trip up a query.

e.g. \'' (this is 2 single quotes not a double quote), would be converted to

So, I use my own filter that escapes backslashes and single-quotes:

CodeDef mysql Filter
CodeDef mysql Routine <<EOR
sub {
 my $val = shift;
 $val =~ s/\\/\\\\/g;
 $val =~ s:':\\':g;
 return $val;

Perhaps the built-in sql filter would be better replaced with something
along these lines?

BTW, I assume that the [query] tag will only accept one sql statement.  i.e.
Can you do [query sql="select * from products;delete from some_table;"]

If multiple statements in a [query] tag are allowed then \''; (again this is
2 single quotes here, not a double quote), would allow for SQL injection
even if the built-in sql filter is in use.  I'd be grateful if someone could
confirm whether or not multiple SQL statements are accepted by a [query]
tag.  Thanks

More information about the interchange-users mailing list