[ic] sql filter not 100% safe for MySQL

Jack Cushman jc at alexinteractive.com
Sat Jul 24 18:05:25 EDT 2004

> Query will not execute two statements, but it would certainly be 
> possible
> to create a subquery situation.
> I wonder if MySQL has a way to ensure that \' is not interpreted
> as a single quote? That would be the best way to solve this.

I've been concerned about [filter sql] ignoring backslashes for a while 
as well (never got around to writing ...). Another simple example of a 
value that breaks the query, even with [filter sql], is any string that 
ends in backslash:

SELECT * FROM user WHERE name='John\';

My solution is the same as John's -- escape both quotes and backslashes:

($trusted = $untrusted) =~ s/([\'\\])/\\$1/g;

SELECT * FROM user WHERE name='John\\';

Then, no matter how many backslashes or quotes the user enters, mysql 
just treats them as data instead of affecting the query. Could we add a 
standard mysql filter that escapes quotes and backslashes?


More information about the interchange-users mailing list