Hi Henning! Monday, April 21, 2008, you wrote:
>> SQL injection can happen with any of blob, text, char, varchar if not >> escaped. There is no distinction between the 2 regarding this issue. > at least db_mysql and db_postgres uses escaping functions for DB_STRING, > DB_STR and DB_BLOB. > Iouri, how is this handled in the db_oracle module? This depends on what you are meaning :). If you mean the driver implementation, this does not use escaping - because variable binding is used, and there are no problems with the "boundaries" of substring (in particular, this is why I wish to expand db-api in such a way that the modules do not use db_rawquery). However, if the meaning is whether oracle has escaping at all, the answer would be... "not quite" :). Oracle conceives '' as a single ', while for the transfer of nonprintable characters, string concatenation can be used. For example, if we want to transfer something like the string "abc\0cde" in the string-form sql-request, then we shoild write this as follows: 'abc'||to_char(0)||'cde' . By the way, this all is valid for fields of the VARCHAR and CLOB field types, whereas with BLOB this does not work - from the standpoint of Oracle, BLOB cannot at all be represented in the text form. Best regards, Iouri mailto:[EMAIL PROTECTED] _______________________________________________ Devel mailing list Devel@lists.openser.org http://lists.openser.org/cgi-bin/mailman/listinfo/devel