[ic] sql filter not 100% safe for MySQL
Jack Cushman
jc at alexinteractive.com
Sat Jul 24 18:05:25 EDT 2004
> Query will not execute two statements, but it would certainly be
> possible
> to create a subquery situation.
>
> I wonder if MySQL has a way to ensure that \' is not interpreted
> as a single quote? That would be the best way to solve this.
I've been concerned about [filter sql] ignoring backslashes for a while
as well (never got around to writing ...). Another simple example of a
value that breaks the query, even with [filter sql], is any string that
ends in backslash:
SELECT * FROM user WHERE name='John\';
My solution is the same as John's -- escape both quotes and backslashes:
($trusted = $untrusted) =~ s/([\'\\])/\\$1/g;
SELECT * FROM user WHERE name='John\\';
Then, no matter how many backslashes or quotes the user enters, mysql
just treats them as data instead of affecting the query. Could we add a
standard mysql filter that escapes quotes and backslashes?
Thanks,
Jack
More information about the interchange-users
mailing list