Re: [SQL] security: escaping user-supplied data

From: "Albert REINER" <areiner(at)tph(dot)tuwien(dot)ac(dot)at>
To: PostgreSQL-SQL <pgsql-sql(at)postgreSQL(dot)org>
Subject: Re: [SQL] security: escaping user-supplied data
Date: 1999-10-15 12:01:49
Message-ID: 19991015140149.D598@frithjof
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-sql

On Wed, Oct 13, 1999 at 04:30:55PM -0700, tjk(at)tksoft(dot)com wrote:
> Here's a function in perl which should work for cleaning
> a string which is sent in a query:

Well, this obviously depends on the type of data you expect from the
user; I don't really see why you would like to get rid of double
backslashes (maybe the data is TeX-Code, and \\ has been assigned to
something useful). Furthermore, you don't really prevent the user from
storing \\, he just has to type \\\ instead --- a rather confusing
behavior:

$ perl -e '$a="\\\\\\"; print "$a\n"; $a =~ s/\\\\/\\/g; print "$a\n"; '
\\\
\\

But if you really want to prevent more than one \ in the string (which
may be useful for some applications), consider s/\\+/\\/g. I guess it
all depends on what type of data you want to store. By the way, for me
the need to run the modification several times has never arisen.

By the way, your clean_text() does not take care of %, which might be
important in LIKE-clauses: "select field where field like '%"
. clean_text('50% increase') . "'" might not do what you (or the user)
want.

Albert.

--

---------------------------------------------------------------------------
Post an / Mail to / Skribu al: Albert Reiner <areiner(at)tph(dot)tuwien(dot)ac(dot)at>
---------------------------------------------------------------------------

In response to

Responses

Browse pgsql-sql by date

  From Date Subject
Next Message John C Cusick 1999-10-15 12:54:01 HOW DO I...
Previous Message Matlack, Brad 1999-10-14 15:18:06 subscribe pgsql-sql