On Mon, Dec 6, 2010 at 7:45 PM, Karl Wright <daddy...@gmail.com> wrote:
> Since quoteSQLString uses ' as it's quotation mark, and properly > escapes ' characters within the string, I claim that the method is > properly written and cannot be used for a sql attack. If you > disagree, provide me a string that "breaks" the escaping that it does. Just so you know Karl, security issues shouldn't be treated like 'regular bugs'. Users/developers shouldnt need to write 'test cases' when code is obviously insecure, we should instead write code securely, and specify parameters as parameters so that we know they aren't going to be interpreted as syntax. That being said, my examples were just fine, examples. For postgresql an example problem is that ' can also be escaped with a \. (http://www.postgresql.org/docs/8.2/static/sql-syntax-lexical.html) Thus, in some situations its possible for me to bypass your escaping by using the sequence \', which you will escape into \'', giving me an unescaped single quote. This is just *an example*, as i said before to demonstrate why escaping is dangerous, I'm not going to go back-and-forth with you on this as to whether or not manifoldcf has a problem in any particular circumstances. Someone motivated will always bypass escaping. We should make parameters, parameters.
