[ic] sql filter not 100% safe for MySQL

Balster balster at att.com
Mon Jul 26 13:23:45 EDT 2004


>
>Quoting Tony Fraser 
>(<http://www.icdevgroup.org/mailman/listinfo/interchange-users>tony at 
>sybaspace.com):
> > On Sat, 2004-07-24 at 20:15, Mike Heins wrote:
> > > I would like to allow
> > >
> > >     [query
> > >             sql="select field from table where foo = ? and bar = ?"
> > >             arg.0="[cgi foo]"
> > >             arg.1="[cgi bar]"
> > >         ]
> > >
> > > but unfortunately the array-based args don't handle included ITL.
> > > This would be the safest way to do it -- to have DBI do the quoting
> > > for you as needed.
> > >
> > > I will think about this and see if an epiphany happens. Until then,
> > > defining a mysql filter is probably the way to go.
> >
> >
> > I haven't dug around in the IC DB layer much but would it be possible to
> > make [filter op="sql"] reach down the stack and do a
> > $dbi_handle->quote()?
>
>No, because if the query is in the quote parameters it is formulated
>before you ever make the call to query -- and you have no way to
>know which object you are filtering for.
>
>That is why I like the idea of using DBI placeholders, because that
>*does* have that knowledge.
>
>In the above example, presuming you could get the [cgi foo] interpolated
>and into the argument array, DBI does the filtering for you.
>
>--
>Mike Heins
>Perusion -- Expert Interchange 
>Consulting    <http://www.perusion.com/>http://www.perusion.com/
>phone +1.765.647.1295  tollfree 800-949-1889 
><<http://www.icdevgroup.org/mailman/listinfo/interchange-users>mike at 
>perusion.com>

I addressed this issue in a different manner.  Depending upon how the data 
is to be used, I either translate the ' to ` which is a similar looking 
character, or else I translate it to &#39 if it is to be used in a location 
where HTML translation is available.  Thus, I am completely safe in never 
allowing a ' character into my SQL queries.





More information about the interchange-users mailing list