[Opensource] Another test on everybody's database....
Michael Rimov
rimovm at centercomp.com
Wed Oct 30 23:03:28 PST 2002
Hey All....
Removing potential SQL injection issues in databases. Currently, for
DoubleQuoteEscapeHandler, I do the following: [For working with literal
strings]
' gets replaced with: ''
" gets removed all together.
So the field: Cote D'ivoire translates to in the SQL string: Cote
D''ivoire (as an example)
I came across a situation for SapDB where the following works:
' gets replaced with: ''
" gets replaced with: '" (That's a single quote followed by a double quote)
Does the single quote acting as an escaping mechanism work for your
db's? If so, let me know what db you're using. If not, please let me know
what db you're using.
[Before you test this, AFAICT, the above will NOT work on Postgres and
Mysql anyway]
Thanks in advance!
-Mike
More information about the Opensource
mailing list