On Tue, Apr 25, 2006 at 11:25:52AM -0700, Jason Chu wrote:
> On Tue, 25 Apr 2006 22:14:34 +0400
> Oleg Broytmann <[EMAIL PROTECTED]> wrote:
>
> > On Tue, Apr 25, 2006 at 10:52:35AM -0700, Jason Chu wrote:
> > > On Tue, 25 Apr 2006 19:45:04 +0400
> > > Oleg Broytmann <[EMAIL PROTECTED]> wrote:
> > > > On Tue, Apr 25, 2006 at 04:24:04PM +0200, Grzesiek Slusarek wrote:
> > > > > Hi all. In my apps I'm using select with clase="my_column like
> > > > > ('%s%')" %(myvariable). I'm wondering does SqlObject can escape
> > > > > values that I put in select (to pretend e.g. SqlInjection).
> > > >
> > > > No, SQLObject doesn't do such protection.
> > > >
> > > Actually, the sqlrepr function does it...
> >
> > But it doesn't protect semicolons and other special characters -
> > it only escapes backslashes and quotes.
> >
> But a semicolon within a string is totally valid. Just as long as you
> can't escape out of the string and then use a semicolon.
The original question was about SQL injection (at least the how I
understood it).
Oleg.
--
Oleg Broytmann http://phd.pp.ru/ [EMAIL PROTECTED]
Programmers don't die, they just GOSUB without RETURN.
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
sqlobject-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sqlobject-discuss
