On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
Setting the default for 'no' in templates is a security issue when sending the template output to a database server (fairly common setup), imagine an SQL query like:
INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
if the quotation mark is not protected by a backslash, the DROP DATABASE command will be executed. I think this scenario is less visible to a normal user, at least it is more difficult to notice this possibility.
The proper quoting depends on the database, however. For example, Oracle doesn't recognize a backslash as quoting character: SQL> insert into foo values('foo\'bar'); ERROR: ORA-01756: quoted string not properly terminated you have to double the single quotes: SQL> insert into foo values('foo''bar'); 1 row created. I think this is also ANSI SQL, the backslash is a mysql extension. hp -- _ | Peter J. Holzer | We have failed our own creation and given |_|_) | Sysadmin WSR | birth something truly awful. We're just too | | | hjp@hjp.at | busy cooing over the pram to notice. __/ | http://www.hjp.at/ | -- http://www.internetisshit.org