[Gambas-user] Database and SQL code injection
Benoit Minisini
gambas at ...1...
Fri Sep 14 08:21:25 CEST 2007
On vendredi 14 septembre 2007, ron wrote:
> On Thursday 13 September 2007 23:48, Benoit Minisini wrote:
> > Well, back to Gambas now. I want to go further, by simply rejecting any
> > call to Exec(), Find() or Delete(), if the first argument includes some
> > quoting characters.
> >
> > This way, you will be compelled to use the quoting arguments.
> >
> > What do you think about that?
> >
> > --
> > Benoit Minisini
>
> Proposal is not bad but I prefer a way to bypass all gambas mangeling for
> using DB.Exec("select concat("today=",`age`,now()) as `age` from
> `tblBenoit`;")
>
Wow. What does your request do? :-)
Maybe I should make another method, without the check ?
I notice that I have to allow quoting before operands, but not after. I don't
know enough SQL for being sure that it won't forbid non dangerous expressions
in all cases...
--
Benoit Minisini
More information about the User
mailing list