Re: sql escaping

From: Xavier Bouchoux <xavier bouchoux free fr>
To: Aaron Bockover <abockover novell com>
Cc: f-spot-list gnome org
Subject: Re: sql escaping
Date: Thu, 06 Sep 2007 10:22:17 +0200

Aaron Bockover a écrit :
> Using String.Format to construct a query with parameters is very
> incorrect, for this very reason (and often if escaping is not done
> properly, it can lead to security issues). While in applications like
> F-Spot and Banshee, using String.Format is okay in many situations,
> using the following method of command construction is critical for when
> strings are parameters (as you have just run into).
>
> [...]
>
> Granted, doing that manually is highly annoying. In Banshee I have a
> utility layer to make constructing proper parameter commands much
> simpler. Either way, this should solve the escaping issue.
>

Indeed, using the Banshee helper is as easy as using String.Format()
http://bugzilla.gnome.org/show_bug.cgi?id=474142

(well if it is actually a correct fix..)

Follow-Ups:
- Re: sql escaping
  - From: Stephane Delcroix

References:
- Re: sql escaping
  - From: Aaron Bockover

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]