From: [EMAIL PROTECTED] (Randal L. Schwartz) > The application was developed under PHP 4.2.1, Apache and MSSQL. > > We started our tests by adding a ' (single quote) to the POST info. > > Since PHP escapes ' and " , turning the ' into a \' but SQL Server > uses 2 single quotes ('') to escape a quote (') we were allowed to > execute our code: > ...
When I first heard about this "feature" I thought someone went crazy. How is the language supposed to know what characters need to be escaped and how in each particular case? All you get this way is a false feeling of security. Or you waste a lot of time trying to figure out why doesn't something match or where did the silly backslashes come from. It's the programmers' job to make sure everything that needs to be escaped IS escaped. Jenda (Sorry couldn't resist.) ===== [EMAIL PROTECTED] === http://Jenda.Krynicky.cz ===== When it comes to wine, women and song, wizards are allowed to get drunk and croon as much as they like. -- Terry Pratchett in Sourcery