[asterisk-dev] func_odbc.conf - bind params ?
Philipp Kempgen
philipp.kempgen at amooma.de
Fri Jun 13 17:50:17 CDT 2008
Tim Panton schrieb:
> The web world is moving away from building SQL statements by
> concatenating strings, as it
> is too easy to hack (do a google for sql injection to see why).
>
> func_odbc.conf offers the sensible advice that you should use
> SQL_ESC() to sanitze inputs.
> The problem with this is that it tends to go wrong when you have
> CallerIds like
> "Bill's Surf shack".
The MySQL client library provides a function to escape anything
it needs to have escaped. Not sure about ODBC.
> (and is vulnerable to Unicode escapes etc).
Unicode escapes? Unicode is not a character encoding (aka charset
although the term is technically not correct). Unicode can be
encoded as UTF-8, UTF-16 (big-endian/little-endian), ...
So are you talking about UTF-8 encoded \xXX\xXX.. ?
Literal "\uXXXX"?
If you have an example of what slips through unescaped it
probably wouldn't hurt to provide it.
>
> The alternative strategy is to use bind params. On some platforms this
> will also
> give you a speedup because the query is only parsed once.
>
> Is this something we should be looking into ?
+1
Grüße,
Philipp Kempgen
--
http://www.das-asterisk-buch.de - http://www.the-asterisk-book.com
Amooma GmbH - Bachstr. 126 - 56566 Neuwied -> http://www.amooma.de
Geschäftsführer: Stefan Wintermeyer, Handelsregister: Neuwied B14998
More information about the asterisk-dev
mailing list