On Tue, 25 Apr 2006 22:14:34 +0400 Oleg Broytmann <[EMAIL PROTECTED]> wrote:
> On Tue, Apr 25, 2006 at 10:52:35AM -0700, Jason Chu wrote:
> > On Tue, 25 Apr 2006 19:45:04 +0400
> > Oleg Broytmann <[EMAIL PROTECTED]> wrote:
> > > On Tue, Apr 25, 2006 at 04:24:04PM +0200, Grzesiek Slusarek wrote:
> > > > Hi all. In my apps I'm using select with clase="my_column like
> > > > ('%s%')" %(myvariable). I'm wondering does SqlObject can escape
> > > > values that I put in select (to pretend e.g. SqlInjection).
> > >
> > > No, SQLObject doesn't do such protection.
> > >
> > Actually, the sqlrepr function does it...
>
> But it doesn't protect semicolons and other special characters -
> it only escapes backslashes and quotes.
>
> Oleg.
But a semicolon within a string is totally valid. Just as long as you
can't escape out of the string and then use a semicolon.
Jason
signature.asc
Description: PGP signature
