I've also noticed this problem. It can be exploited to execute functions in
your database in certain circumstances where you're quoting submitted data.
I think this function may need different behavior for Oracle or Postgres.
On Monday 28 January 2002 11:46 am, you wrote:
> Hello.
>
> Here is what caused problems for me with both mySQL and PostgreSQL:
>
> ns_dblist $h "SELECT lower([ns_dbquotevalue {ABC'DEF\'}])"
>
> Basically it quoted the string into 'ABC''DEF\'', which is not correct.
>
> Also, it does not work correctly for UTF-escapable characters.
>
> proc ns_dbquotevalue {val} {
> set val [string map [list "'" "''" "\\" "\\\\"] $val]
> return "'$val'"
> }
>
> Here's the code I used - it does not handle datatypes, but I never used
> them anyway :)
>
> Any comments on this one?
