Re: sql escaping



Hi Xavier,

I'm working on it at this very moment. And your patch looks like mine ;)

s

On Thu, 2007-09-06 at 10:22 +0200, Xavier Bouchoux wrote:
> Aaron Bockover a �it :
>  > Using String.Format to construct a query with parameters is very
>  > incorrect, for this very reason (and often if escaping is not done
>  > properly, it can lead to security issues). While in applications like
>  > F-Spot and Banshee, using String.Format is okay in many situations,
>  > using the following method of command construction is critical for when
>  > strings are parameters (as you have just run into).
>  >
>  > [...]
>  >
>  > Granted, doing that manually is highly annoying. In Banshee I have a
>  > utility layer to make constructing proper parameter commands much
>  > simpler. Either way, this should solve the escaping issue.
>  >
> 
> Indeed, using the Banshee helper is as easy as using String.Format()
> http://bugzilla.gnome.org/show_bug.cgi?id=474142
> 
> (well if it is actually a correct fix..)
> 
> _______________________________________________
> F-spot-list mailing list
> F-spot-list gnome org
> http://mail.gnome.org/mailman/listinfo/f-spot-list




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]