I've looked at this a bit more,and learned a bit more about mysql. I
have reduced the problem to a point where it is no longer a boltwire
issue, but I would appreciate comments and help anyway.
I have limited the problem to needing to escape the {+:title} input
before executing the function.
In fact, Looking at mysql, I should generally be escaping everything I
send except commands, using the mysql_real_escape function. However,
escaping should only be required where a malformed mysql query could
damage the database. My plugin lets me use a mysql-login with reduced
privileges on pages that are publicly editable and viewable, so even
with a malformed query, no damage should be done. This assuming mysql
privileges are worth their salt... Please correct me if my reasoning
is flawed. According to this reasoning, I would at most need to escape
input taken by privileged users, mined from outside input.
(registration names or similar). I would not need to escape query's
designed by those with only access to under-privileged mysql-logins.
So. The problem becomes "how shall I escape the input between 'real'
single-quotes?".
I require escaped single qoutes in parts of a string I cannot directly
control at the time of query, in order to distinguish these from
single quotes that are required by mysql.
So, I use a form of escaped qoutes in the part I can distinguish, and
escape anything in between. This will secure the query slightly, as
the escaped single quotes become the problem. I can still see places
where this might be a problem though, especially if we are inserting
data specified by outsiders.
Another solution is to specify a way to separate out the string to
escape, something like:
[(mysql username "INSERT INTO table ('name') values ('(?name)')"
inserts['name']="{+:title}")]
This comes close to what I've found on google called a parametrized
query. It seems the superior solution. I would very much enjoy
comments on the matter, I'm sure my 2 hour crash course in everything
sql and mysql has left some holes in my understanding :p
On Sep 21, 6:36 pm, DrunkenMonk <[email protected]> wrote:
> I've created a simple wrapper function for mysql access, which is
> working fine, but it's breakable in some irritating ways.
>
> Most importantly, consider a page with title "rawson's pet rabbit"
>
> <(mysql BOLTmysqluser 'INSERT INTO list (name) values ("{+:title}")')>
>
> this inputs a "'" character into the line, and the line sent to my
> function as $args[1] becomes
>
> INSERT INTO list (name) values ("Rawson
>
> How can I fix this? I need logic in my command, so I have to use '<('
> or the [if*] commands wont get parsed before the command, otherwise I
> believe I can use '[(' to circumvent the problem, I'm not sure.
>
> Also, are there still people interested in a mysql plugin?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"BoltWire" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/boltwire?hl=en
-~----------~----~----~----~------~----~------~--~---
