Re: ustring compose escaping capability
- From: Paul Davis <paul linuxaudiosystems com>
- To: Szilard Pfeiffer <szilard pfeiffer gmail com>
- Cc: gtkmm-list gnome org
- Subject: Re: ustring compose escaping capability
- Date: Wed, 23 Jan 2008 11:02:57 -0500
On Wed, 2008-01-23 at 10:36 +0100, Szilard Pfeiffer wrote:
> I hope there will be no misunderstanding if I write it step-by-step:
>
> 1. in the glibmm there is an ustring::compose API
> 2. it is not possible to escaping with this API
> 3. it would be useful for us (my colleges and me) and maybe for
> others
> 4. we have a potential solution (without API incompatibility)
> 5. with some work i can create a patch for you
> 6. it would be lovely if you integrated our patch to the glibmm
>
> Do you plan to implement your own solution to the problem?
> May I hope you integrate our solution to the glibmm if you find it
> correct?
>
> regards
> Szilard
>
> p.s.:
>
> In this case escaping means string conversion. I think something like
> the following:
>
> ustring::compose("SELECT * FROM table_name WHERE pub='%1'", "Joe's")
>
> The result of the composition should be "SELECT * FROM table_name
> WHERE pub='Joe\'s'", but without escaping it will be "SELECT * FROM
> table_name WHERE pub='Joe's'", which is an incorrect SQL command.
its totally wrong to do this within the compose code.
the function you want is much more general:
ustring::compose ("SELECT * FROM table_name WHERE pub='%1'",
make_legal_sql ("Joe's"))
ustring make_legal_sql(const ustring&) is a critical function because it
is (presumably) accepting user input and passing it to an SQL execution
engine. any user input should be thoroughly "scrubbed" before this
happens because of the potential security implications. simply escaping
quotes is only the start of what is needed (although its a big part).
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
