Hi Bram, If you use containers for your queries, there are no SQL-injection possibilities.
For instance, you could have the following in the past: <mm:import id="bla" /> <mm:listnodes type="object" constraints="description LIKE '$bla'"> ... </mm:listnodes> In this example you can have SQL injection, and by coding it this way it's easy to forget to escape the imports. Nowadays, you can do the following: <mm:import id="bla" /> <mm:listnodescontainer type="object"> <mm:constraint field="description" referid="bla" operator="LIKE" /> <mm:listnodes> ... </mm:listnodes> </mm:listnodescontainer> No possibility for any injection here, because by using the mm:constraint you are sure that MMBase will escape the value for you somewhere in the query layer. So unless you have a very, VERY good reason (and I can't think of any!), use the container variants and forget the 'constraints=' attribute. Johannes On 4/23/07, Bram Enning <[EMAIL PROTECTED]> wrote:
Hi, is there an easy way in MMBase to protect against SQL-injection hacks (in MySQL)? greetings! _______________________________________________ Users mailing list [email protected] http://lists.mmbase.org/mailman/listinfo/users
-- Mail: mailto:[EMAIL PROTECTED] Web: http://www.verelst.net/ Blog: http://keukenhelden.nl/ _______________________________________________ Users mailing list [email protected] http://lists.mmbase.org/mailman/listinfo/users
