[ic] sql filter not 100% safe for MySQL

Tony Fraser tony at sybaspace.com
Sun Jul 25 02:59:26 EDT 2004


On Sat, 2004-07-24 at 20:15, Mike Heins wrote:
> I would like to allow
> 
> 	[query
> 		sql="select field from table where foo = ? and bar = ?"
> 		arg.0="[cgi foo]"
> 		arg.1="[cgi bar]"
> 	    ]
> 
> but unfortunately the array-based args don't handle included ITL.
> This would be the safest way to do it -- to have DBI do the quoting
> for you as needed.
> 
> I will think about this and see if an epiphany happens. Until then,
> defining a mysql filter is probably the way to go.


I haven't dug around in the IC DB layer much but would it be possible to
make [filter op="sql"] reach down the stack and do a
$dbi_handle->quote()?



More information about the interchange-users mailing list