begin quoting Rick Funderburg as of Thu, Aug 23, 2007 at 04:20:28PM -0700:
> On 8/23/07, Nikolaj Baer <[EMAIL PROTECTED]> wrote:
> > I have always either used parameterized queries or just done a
> > $p.replace("'","\\'"). Is there something beyond a ' that I would have
yes, \
> > to worry about escaping inside a quoted string (like a terminating
> > character, i have been assuming that all the other characters except
> > the ' are escaped at the lower layer)?
Huh. I missed this.
<checks>
Ah, it was top-posted.
> Clever people can anticipate your straight forward approach and add an
> extra backslash into their injection so that the resulting sql escapes
> your backslash rather than the quote.
Yup.
--
Gotta escape everything.
Stewart Stremler
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-lpsg
