[ic] sql filter not 100% safe for MySQL
Tony Fraser
tony at sybaspace.com
Sun Jul 25 02:59:26 EDT 2004
On Sat, 2004-07-24 at 20:15, Mike Heins wrote:
> I would like to allow
>
> [query
> sql="select field from table where foo = ? and bar = ?"
> arg.0="[cgi foo]"
> arg.1="[cgi bar]"
> ]
>
> but unfortunately the array-based args don't handle included ITL.
> This would be the safest way to do it -- to have DBI do the quoting
> for you as needed.
>
> I will think about this and see if an epiphany happens. Until then,
> defining a mysql filter is probably the way to go.
I haven't dug around in the IC DB layer much but would it be possible to
make [filter op="sql"] reach down the stack and do a
$dbi_handle->quote()?
More information about the interchange-users
mailing list