Menu
▾
▴
Re: [Sqlgrey-users] Periodic crashes of sqlgrey
|
From: Lionel B. <lio...@bo...> - 2004-11-17 16:31:26
|
HaJo Schatz wrote the following on 17.11.2004 16:12 :
>I suspect the sender contains "illegal" characters such as the
>backslash. Did you consider this? I'm wondering what an <INSERT ...
>("C:\DocumentsAndSettings...")..> would do.
>
>
This SQL can't hit the database with 1.2.0 and later: the '\' is
properly quoted by code looking like :
$dbh->quote($sender_name)
Perl DBI makes it easy to protect yourself against SQL injections by
providing the quote() method.
SQL injections work in the following way :
you run the concatenation "SELECT col FROM table WHERE key = " and a
value provided by a user you can't trust. If the value is something like
"iownyou; DELETE FROM another_table" you end up sending "DELETE FROM
another_table" to your database. Not a good thing...
What you want to do is let the database know that nothing in the
"iownyou; DELETE FROM another_table" string should be interpreted as the
end of the value against which key is compared. $dbh->quote("iownyou;
DELETE FROM another_table") makes sure it doesn't happen by properly
escaping the ';' character and whatever other character the database
would treat specially.
|
