[ic] sql filter not 100% safe for MySQL

Mike Heins mike at perusion.com
Sun Jul 25 10:41:37 EDT 2004

Quoting Tony Fraser (tony at sybaspace.com):
> On Sat, 2004-07-24 at 20:15, Mike Heins wrote:
> > I would like to allow
> > 
> > 	[query
> > 		sql="select field from table where foo = ? and bar = ?"
> > 		arg.0="[cgi foo]"
> > 		arg.1="[cgi bar]"
> > 	    ]
> > 
> > but unfortunately the array-based args don't handle included ITL.
> > This would be the safest way to do it -- to have DBI do the quoting
> > for you as needed.
> > 
> > I will think about this and see if an epiphany happens. Until then,
> > defining a mysql filter is probably the way to go.
> I haven't dug around in the IC DB layer much but would it be possible to
> make [filter op="sql"] reach down the stack and do a
> $dbi_handle->quote()?

No, because if the query is in the quote parameters it is formulated
before you ever make the call to query -- and you have no way to
know which object you are filtering for.

That is why I like the idea of using DBI placeholders, because that
*does* have that knowledge.

In the above example, presuming you could get the [cgi foo] interpolated
and into the argument array, DBI does the filtering for you.

Mike Heins
Perusion -- Expert Interchange Consulting    http://www.perusion.com/
phone +1.765.647.1295  tollfree 800-949-1889 <mike at perusion.com>

Some people have twenty years of experience, some people have
one year of experience twenty times over. -- Anonymous

More information about the interchange-users mailing list