Re: [SQL] security: escaping user-supplied data - Mailing list pgsql-sql

From Albert REINER
Subject Re: [SQL] security: escaping user-supplied data
Date
Msg-id 19991015140149.D598@frithjof
Whole thread Raw
In response to Re: [SQL] security: escaping user-supplied data  ("tjk@tksoft.com" <tjk@tksoft.com>)
Responses Re: [SQL] security: escaping user-supplied data
List pgsql-sql
On Wed, Oct 13, 1999 at 04:30:55PM -0700, tjk@tksoft.com wrote:
> Here's a function in perl which should work for cleaning
> a string which is sent in a query:

Well, this obviously depends on the type of data you expect from the
user; I don't really see why you would like to get rid of double
backslashes (maybe the data is TeX-Code, and \\ has been assigned to
something useful). Furthermore, you don't really prevent the user from
storing \\, he just has to type \\\ instead --- a rather confusing
behavior:
   $ perl -e '$a="\\\\\\"; print "$a\n"; $a =~ s/\\\\/\\/g; print "$a\n"; '   \\\   \\

But if you really want to prevent more than one \ in the string (which
may be useful for some applications), consider s/\\+/\\/g. I guess it
all depends on what type of data you want to store. By the way, for me
the need to run the modification several times has never arisen.

By the way, your clean_text() does not take care of %, which might be
important in LIKE-clauses: "select field where field like '%"
. clean_text('50% increase') . "'" might not do what you (or the user)
want.

Albert.


-- 

--------------------------------------------------------------------------- Post an / Mail to / Skribu al: Albert
Reiner<areiner@tph.tuwien.ac.at>
 
---------------------------------------------------------------------------


pgsql-sql by date:

Previous
From: soundar rajan
Date:
Subject: help on jdbc driver
Next
From: "tjk@tksoft.com"
Date:
Subject: Re: [SQL] security: escaping user-supplied data