On Tue, Nov 11, 2003 at 10:55:16AM +0100, Peter J. Holzer wrote:
On 2003-11-10 16:15:44 +0100, Balazs Scheidler wrote:
Setting the default for 'no' in templates is a security issue when sending the template output to a database server (fairly common setup), imagine an SQL query like:
INSERT INTO logdb (MSG) values ('Nov 12 12:23:34 localhost message';DROP DATABASE logdb');
if the quotation mark is not protected by a backslash, the DROP DATABASE command will be executed. I think this scenario is less visible to a normal user, at least it is more difficult to notice this possibility.
The proper quoting depends on the database, however. For example, Oracle doesn't recognize a backslash as quoting character:
SQL> insert into foo values('foo\'bar'); ERROR: ORA-01756: quoted string not properly terminated
you have to double the single quotes:
SQL> insert into foo values('foo''bar');
1 row created.
I think this is also ANSI SQL, the backslash is a mysql extension.
thanks for the info, I've added a bug ticket to our bugzilla, this will be added in the future. -- Bazsi PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1