On Tue, 25 Apr 2006 22:55:10 +0400 Oleg Broytmann <[EMAIL PROTECTED]> wrote:
> On Tue, Apr 25, 2006 at 11:25:52AM -0700, Jason Chu wrote:
> > On Tue, 25 Apr 2006 22:14:34 +0400
> > Oleg Broytmann <[EMAIL PROTECTED]> wrote:
> >
> > > On Tue, Apr 25, 2006 at 10:52:35AM -0700, Jason Chu wrote:
> > > > On Tue, 25 Apr 2006 19:45:04 +0400
> > > > Oleg Broytmann <[EMAIL PROTECTED]> wrote:
> > > > > On Tue, Apr 25, 2006 at 04:24:04PM +0200, Grzesiek Slusarek
> > > > > wrote:
> > > > > > Hi all. In my apps I'm using select with clase="my_column
> > > > > > like ('%s%')" %(myvariable). I'm wondering does SqlObject
> > > > > > can escape values that I put in select (to pretend e.g.
> > > > > > SqlInjection).
> > > > >
> > > > > No, SQLObject doesn't do such protection.
> > > > >
> > > > Actually, the sqlrepr function does it...
> > >
> > > But it doesn't protect semicolons and other special characters
> > > - it only escapes backslashes and quotes.
> > >
> > But a semicolon within a string is totally valid. Just as long as
> > you can't escape out of the string and then use a semicolon.
>
> The original question was about SQL injection (at least the how I
> understood it).
>
> Oleg.
How does sqlrepr not protect against SQL injection? By ensuring that
all string variables can never be escaped out of, it stops anything
from being executed, no?
Jason
signature.asc
Description: PGP signature
