|
From: | Emanuel Berg |
Subject: | Re: Printf and quoting in general, SQL injection in particular |
Date: | Sat, 26 Jun 2021 08:50:58 +0200 |
User-agent: | Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) |
Jean Louis wrote: >>> I am thinking how can I make it safer for SQL queries. >> >> SQL injection isn't avoided by not assembling queries with >> string functions but by quoting user input. > > It is impossible in `emacs-libpq' package to avoid > formatting strings and passing it to database. > > What is possible is to minimize it so that users' input is > automatically quoted by the database by passing it as > parameters instead of passing data as parameters to `format' > [...] Relax, this notion that you shouldn't construct file paths by string functions, nor SQL queries for that matter, and what more? hyperlinks? or are you allowed to do that? These opinions are "arguably" correct at best - and that means some people will insist (argue) they are. And maybe that's what's happening right now? -- underground experts united https://dataswamp.org/~incal
[Prev in Thread] | Current Thread | [Next in Thread] |