Re: sql escaping
- From: Xavier Bouchoux <xavier bouchoux free fr>
- To: Aaron Bockover <abockover novell com>
- Cc: f-spot-list gnome org
- Subject: Re: sql escaping
- Date: Thu, 06 Sep 2007 10:22:17 +0200
Aaron Bockover a écrit :
> Using String.Format to construct a query with parameters is very
> incorrect, for this very reason (and often if escaping is not done
> properly, it can lead to security issues). While in applications like
> F-Spot and Banshee, using String.Format is okay in many situations,
> using the following method of command construction is critical for when
> strings are parameters (as you have just run into).
>
> [...]
>
> Granted, doing that manually is highly annoying. In Banshee I have a
> utility layer to make constructing proper parameter commands much
> simpler. Either way, this should solve the escaping issue.
>
Indeed, using the Banshee helper is as easy as using String.Format()
http://bugzilla.gnome.org/show_bug.cgi?id=474142
(well if it is actually a correct fix..)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]