[ic] sql filter not 100% safe for MySQL

Daniel Davenport ddavenport at newagedigital.com
Sun Jul 25 04:29:50 EDT 2004



> -----Original Message-----
> From: interchange-users-bounces at icdevgroup.org
> [mailto:interchange-users-bounces at icdevgroup.org]On Behalf Of Tony
> Fraser
> Sent: Sunday, July 25, 2004 2:59 AM
> To: interchange-users at icdevgroup.org
> Subject: Re: [ic] sql filter not 100% safe for MySQL
>
>
> On Sat, 2004-07-24 at 20:15, Mike Heins wrote:
> > I would like to allow
> >
> > 	[query
> > 		sql="select field from table where foo = ? and bar = ?"
> > 		arg.0="[cgi foo]"
> > 		arg.1="[cgi bar]"
> > 	    ]
> >
> > but unfortunately the array-based args don't handle included ITL.
> > This would be the safest way to do it -- to have DBI do the quoting
> > for you as needed.
> >
> > I will think about this and see if an epiphany happens. Until then,
> > defining a mysql filter is probably the way to go.
>
>
> I haven't dug around in the IC DB layer much but would it be possible to
> make [filter op="sql"] reach down the stack and do a
> $dbi_handle->quote()?

There can be any number of different db handles--i'd be kinda surprised if
IC didn't use DBI for everything, even the DBM tables--and each database can
potentially want stuff quoted in its own special way.  The table needs to be
specified somehow, lest stuff destined for a pgsql database wind up with a
bunch of extra backslashes in it.

/me



More information about the interchange-users mailing list