[ic] "==" and "!=" as DB field values
Stefan Hornburg
racke at linuxia.de
Tue Oct 28 09:50:12 EST 2003
On Mon, 27 Oct 2003 12:16:27 -0800
Peter <peter at pajamian.dhs.org> wrote:
> Grant wrote:
> >>Most problems with content of the field would mostly occur with control
> >>characters (ascii less than 32) and characters that need escaping in SQL
> >>strings.
> >>
> >>Behaviour for control characters within a string is undefined (what does
> >>SQL do if there is a carriage return or newline in a string before the
> >>string is terminated?).
> >>
> >>In SQL statements, strings are enclosed between apostrophes ('), so if
> >>your strings contain apostrophes and you want to send them to an SQL
> >>field, you need escape them by doubling them, otherwise the first
> >>apostrophe in your string will be considered to be string terminator. In
> >>the best case this would cause incorrect SQL syntax; in the worst case,
> >>an improperly escaped apostrophe can compromise the security of your
> >>application.
>
> Doesn't IC escape these automatically via the DBI quote function or via
> '?'-type parameters?
Yes, in the most cases. You need to take care of that if you are calling
the query method from embedded Perl like:
$Db{products}->query("select * from products where name = '$CGI->{foo}'");
=> that's unsafe IMHO
Ciao
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the interchange-users
mailing list