Re: [libdbi-users] libdbi and SQL Injection

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Am 2014-01-10 14:17, schrieb Markus Hoenicka: 

> if I understand you correctly, you attempt to insert a value containing the string "%s Saints going down tonight!!!!!" using the libdbi function dbi_conn_queryf(). Thing is, dbi_conn_queryf() is intended to make dbi_conn_query() behave somewhat like sprintf() in that you can specify a formatting string containing placeholders like "%s", followed by parameters that are filled in. If you want to preserve the "%s" literally, you either need to escape or quote the values properly, or you should rather use dbi_conn_query() which sends the string parameter to the db engine literally. You still need to watch out for proper quoting and escaping as per the language specs of your db engine.

I forgot to mention that the dbi_conn_quote_string() and
dbi_conn_escape_string() functions and their relatives can do the
quoting and escaping for you, please check the manual.

regards,
Markus

-- 
Markus Hoenicka
http://www.mhoenicka.de
AQ score 38