At 02:31 +0200 on 12/10/1999, Jason Uhlenkott wrote:
> The statements I generate are usually of the form:
> INSERT INTO foo (bar, bas) VALUES ('abc', 'def');
> but the 'abc' and 'def' come from an untrusted source, so if they supply
> a string like "def'); delete from foo; '" they can make me do this:
> INSERT INTO foo (bar, bas) VALUES ('abc', 'def'); delete from foo; '');
>
> What do I need to do to prevent this? My current plan is to prepend a
> backslash to every single-quote, backslash, and semicolon in the
> untrusted string. Are there any other special characters I should watch
> out for? Is it possible to do something evil despite your special
> characters being prepended with a backslash?
I don't see why you would want to escape a semicolon. If you escape single
quotes and backslashes, the above situation won't happen - the string won't
be finished until the first unescaped quote - yours - is encountered.
Semicolons are not special in strings.
Herouth
--
Herouth Maoz, Internet developer.
Open University of Israel - Telem project
http://telem.openu.ac.il/~herutma