[sclug] URL encoding/decoding question
ed
ed at ednevitible.co.uk
Sun Feb 19 20:39:19 UTC 2006
On Sun, 19 Feb 2006 20:07:21 +0000
"Roland Turner (SCLUG)" <raz.fpyht.bet.hx at raz.cx> wrote:
> This is wasteful, ugly and not portable. You _REALLY_ shouldn't allow
> any data coming from a potentially hostile web-browser (which is
> pretty much all of them) to go anywhere near a SQL parser (nor in fact
> a parser for any other language)[1].
>
> All SQL statements used in web apps should be parametric. Needless to
> say, the existence of SQL injection vulnerabilities in hundreds
> (probably thousands) of web-apps demonstrates that many developers
> don't adhere to this practice.
>
> 1: OK, I'm overstating a bit, particularly since Pieter's objective is
> a web-based HTML editor (so the form content from the browser will
> eventually be presented to a browser as HTML that is to be
> interpreted), but it's still sound practice to keep the exposure to a
> minimum.
I'm not telling the OP how to verify the data, just how to get it into
the database in a sane format. There is no need to escape things that
don't need escaping. For all I know he could be trying to encode binary.
If it is wasteful, ugly and not portable can you explain how, as that
is how one should insert when not using PreparedStatement.
--
Regards, Ed :: http://www.usenix.org.uk
:%s/\t/ /g :: proud unix system person
:%s/Open Source/Free Software/g
More information about the Sclug
mailing list