[sclug] URL encoding/decoding question
Dickon Hood
sclug at splurge.fluff.org
Mon Feb 20 09:48:56 UTC 2006
On Sun, Feb 19, 2006 at 19:58:00 +0000, Roland Turner (SCLUG) wrote:
: On Sun, 2006-02-19 at 18:08 +0000, Dickon Hood wrote:
: > I'm going to guess, but it's because he isn't using placeholders, and is
: > attempting to URL encode everything to avoid SQL-special characters. It's
: > the sort of thing I've done in the past for similar reasons.
: I assume by placeholders you mean parametric statements (i.e. statements
: with "?" to stand for "IN parameters" which are later set with set*()
: calls).
I do. I've been using Perl's DBI too much, clearly.
: I further assume that after my extensive lecturing on the subject,
: Pieter wouldn't dare construct SQL statements by simply concatentating
: string fragments with whatever slop came from a web-browser :-)
...oh dear :-)
Having said that, it's a very useful feature. If you trust content from
your users, they can helpfully fix any mistakes you've made in your
database. The BBC's room access control system being one example I can
immediately think of: we managed to fix a colleague's entry in the
database by firing arbitrary SQL at the webserver...
--
Dickon Hood
Due to digital rights management, my .sig is temporarily unavailable.
Normal service will be resumed as soon as possible. We apologise for the
inconvenience in the meantime.
No virus was found in this outgoing message as I didn't bother looking.
More information about the Sclug
mailing list