Alessandro Vesely wrote: > Matt Comer wrote: > >> I agree, but with one possible caveat: most RDBMSs allow you to configure >> the quoting behavior away from the default if you want. I am not a mysql >> expert, but if mysql allows the quote character (default "\" for mysql) >> then authmysql should also allow this to be configurable. >> > > Good thought! As a security enhancement, one can set an SQL_MODE of > NO_BACKSLASH_ESCAPES. Thereafter backslash escaping is not possible. > Otherwise, injections can be carried out using sequences crafted so > that after escaping they become valid multibyte characters. See > http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string > > I'd use mysql_real_escape_string(), if available. See > http://bugs.mysql.com/bug.php?id=10214 >
No, you should never use any escape function on user input if it can be helped. Prepared statements are the most convenient, fastest, and most secure way to make queries that include user input: http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statements.html I can barely make out what's going on in the mysql auth driver, but it doesn't look like Sam's work. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
