[asterisk-dev] func_odbc.conf - bind params ?
Tim Panton
thp at westhawk.co.uk
Fri Jun 13 09:09:44 CDT 2008
The web world is moving away from building SQL statements by
concatenating strings, as it
is too easy to hack (do a google for sql injection to see why).
func_odbc.conf offers the sensible advice that you should use
SQL_ESC() to sanitze inputs.
The problem with this is that it tends to go wrong when you have
CallerIds like
"Bill's Surf shack". (and is vulnerable to Unicode escapes etc).
The alternative strategy is to use bind params. On some platforms this
will also
give you a speedup because the query is only parsed once.
Is this something we should be looking into ?
Tim.
More information about the asterisk-dev
mailing list