No, I meant for example: if $sht(tbl=>$rU) leads to something important, like a deletion of something else, and the caller can set $rU arbitrarily...
— Sent from mobile, apologies for brevity and errors. > On Jan 10, 2023, at 3:35 AM, Daniel-Constantin Mierla <[email protected]> > wrote: > > Being careful about sql injection is important for security, but It > should not be the case for htable when using db_mysql, because htable > uses the internal sql-insert db api and the values are escaped > automatically using mysql_real_escape_string(). The db_postgres > connector uses PQescapeStringConn(), iirc db_unixodbc has a modparam for > common escaping. > > Of course, if htable is not defined to write to database, then no > concern at all about the key or value and sql injection. > > On the other hand, it is important to do safety checks when using > directly sql_query()/sqlops in the config. > > Cheers, > Daniel > >> On 09.01.23 22:06, Alex Balashov wrote: >> I know that Noah knows this, but it bears reminding for posterity that one >> should be careful with using unsanitised bare PV values as keys, for reasons >> that are conceptually similar to the problem of SQL Injection. >> >> -- Alex >> >> -- >> Alex Balashov >> Principal Consultant >> Evariste Systems LLC >> Web: https://evaristesys.com >> Tel: +1-706-510-6800 >> > -- > Daniel-Constantin Mierla -- www.asipto.com > www.twitter.com/miconda -- www.linkedin.com/in/miconda > Kamailio World Conference - June 5-7, 2023 - www.kamailioworld.com > __________________________________________________________ Kamailio - Users Mailing List - Non Commercial Discussions To unsubscribe send an email to [email protected] Important: keep the mailing list in the recipients, do not reply only to the sender! Edit mailing list options or unsubscribe:
