[asterisk-dev] func_odbc.conf - bind params ?

Tilghman Lesher tilghman at mail.jeffandtilghman.com
Fri Jun 13 09:27:38 CDT 2008


On Friday 13 June 2008 09:09:44 Tim Panton wrote:
> The web world is moving away from building SQL statements by
> concatenating strings, as it
> is too easy to hack (do a google for sql injection to see why).
>
> func_odbc.conf offers the sensible advice that you should use
> SQL_ESC() to sanitze inputs.
> The problem with this is that it tends to go wrong when you have
> CallerIds like
> "Bill's Surf shack". (and is vulnerable to Unicode escapes etc).
>
> The alternative strategy is to use bind params. On some platforms this
> will also
> give you a speedup because the query is only parsed once.
>
> Is this something we should be looking into ?

You're certainly welcome to look into it.  The reason I didn't build it
originally like that was that I could not come up with a syntax that made
various SQL statements possible, while at the same time preserving the
ease of use.

If the SQL_ESC function is vulnerable to allowing Unicode escapes, then
perhaps we should fix that function.  The data I've worked with, though,
prevented even the possibility of Unicode from being in the arguments.

-- 
Tilghman



More information about the asterisk-dev mailing list