On Mon, Oct 7, 2013 at 8:54 AM, Jeroen De Dauw <[email protected]>wrote:
> Hey, > > When constructing an SQL string, how should the following things be > escaped, if at all? > > * Field names * Index names > > It looks like when doing a select using the Database MW thing, the field > names provided do not get escaped at all. > The "field names" are really arbitrary sql at this point, and a few too many places in MW core abuse this last I checked. The presumption is that user-controlled data should never go into the filed name. If you are writing an enhancement to this, you should wrap them in ` and escape ` characters in the name. DatabaseBase::addIdentifierQuotes wraps, but doesn't escape. > > Cheers > > -- > Jeroen De Dauw > http://www.bn2vs.com > Don't panic. Don't be evil. ~=[,,_,,]:3 > -- > _______________________________________________ > Wikitech-l mailing list > [email protected] > https://lists.wikimedia.org/mailman/listinfo/wikitech-l _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
