Well thats what I guessed, seemed like Sequel was on the ball about injection, but I couldn't shake the fear of none of those "important" characters being escaped.
Thanks at least that clears my worries! On Fri, Jan 6, 2012 at 8:13 PM, Jeremy Evans <[email protected]> wrote: > On Jan 6, 11:46 am, chaffeqa <[email protected]> wrote: > > As far as I can tell via tests, quotes, backticks, commas, semicolons, > > and parenthesis are not escaped on a DB.insert statement. > > > > I am pretty green on SQL injection attacks, but isnt this a > > vulnerability? > > For most SQL servers, this isn't a problem, as the only character you > need to escape in an SQL string is the apostrophe (' -> ''). That's > actually specified by the SQL standard. Some servers operate > differently, but in most adapters (and all commonly used adapters), > Sequel uses the database driver's escaping function to escape string > input. > > If you do find an SQL injection vulnerability, just let me know and I > can assure you it will be treated with the upmost priority. > > Thanks, > Jeremy > > -- > You received this message because you are subscribed to the Google Groups > "sequel-talk" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/sequel-talk?hl=en. > > -- Cheers! *Quinn Chaffee* (Cell) 440-796-4352 -- You received this message because you are subscribed to the Google Groups "sequel-talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/sequel-talk?hl=en.
