At 09:58 PM 6/4/02 +0200, Peter Eisentraut wrote:
>Lincoln Yeoh writes:
>
> > But for the ANSI standard how does one stuff \r\n\t and other control
> > characters into the database?
> >
> > If there's no way other than actually sending the control characters then
> > that is a bad idea especially from a security viewpoint.
>
>Why??
Quoting is to help separate data from commands. Though '' is sufficient for
quoting ' it seems to me not sufficient for control characters.
There could be control characters that cause problems with the DB, and
people may not be sufficiently aware of potential problems. If you just
remove the problematic characters, it means you can't store them in the
database - the db can become less useful.
Whereas with the current way of quoting control characters, if you are
unsure what to quote, you could safely quote every "untrusted" character.
Less chance of things going wrong. Also being able to quote allows you to
store control characters in the database.
An example of what could go wrong: a RDBMS may treat raw backspaces as part
of the command stream and not the data, and thus
insert into pics (data) values ('$CGIPARAM')
could become -
insert into pics (data) values('....JFIF^H^H^H^H^H^H...^H^H^HUPDATE row
from IMPORTANT where (rowid='1')
Which is treated as
UPDATE row from IMPORTANT where (rowid='1')
And so a file upload becomes an insiduous alteration of important data.
Hope that helps,
Link.
