I've also noticed this problem. It can be exploited to execute functions in your database in certain circumstances where you're quoting submitted data.
I think this function may need different behavior for Oracle or Postgres. On Monday 28 January 2002 11:46 am, you wrote: > Hello. > > Here is what caused problems for me with both mySQL and PostgreSQL: > > ns_dblist $h "SELECT lower([ns_dbquotevalue {ABC'DEF\'}])" > > Basically it quoted the string into 'ABC''DEF\'', which is not correct. > > Also, it does not work correctly for UTF-escapable characters. > > proc ns_dbquotevalue {val} { > set val [string map [list "'" "''" "\\" "\\\\"] $val] > return "'$val'" > } > > Here's the code I used - it does not handle datatypes, but I never used > them anyway :) > > Any comments on this one?