On Jan 6, 11:46 am, chaffeqa <[email protected]> wrote:
> As far as I can tell via tests, quotes, backticks, commas, semicolons,
> and parenthesis are not escaped on a DB.insert statement.
>
> I am pretty green on SQL injection attacks, but isnt this a
> vulnerability?
For most SQL servers, this isn't a problem, as the only character you
need to escape in an SQL string is the apostrophe (' -> ''). That's
actually specified by the SQL standard. Some servers operate
differently, but in most adapters (and all commonly used adapters),
Sequel uses the database driver's escaping function to escape string
input.
If you do find an SQL injection vulnerability, just let me know and I
can assure you it will be treated with the upmost priority.
Thanks,
Jeremy
--
You received this message because you are subscribed to the Google Groups
"sequel-talk" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/sequel-talk?hl=en.
