Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
10 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fa2797e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use query parameters/substitution variables instead? Since otherwise we would need to anticipate all special characters, right? (disclaimer: Not my area of expertise)
fa2797e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe something like changing:
to
that way types are respected. My VM is borked atm, otherwise I would test this out
fa2797e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't really know for sure, but don't think your proposal solves the problem. I think it would be just as vulnerable to the exploit. But I am not certain. Using prepared statements is likely the safest way to do this. But I think stripping out all " characters renders it safe, too. I should do some more testing.
fa2797e
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good discussion. Yes, prepared statements are generally described as protecting against SQL injection but of course, would need to be tested in the context of a specific library and query.