Precautions against "SQL Injection"?

[Markus Müller <sp...@online.de>]

Hello,

are there any precautions against  SQL Injection?

Example (http://de.wikipedia.org/wiki/SQL_Injection):

User enters the value 
    sql' ;GO EXEC cmdshell('format C') --
which leads to execution of statement
    SELECT url, title FROM myindex 
    WHERE keyword 
    LIKE '%sql' ;GO EXEC cmdshell('format C') --%'   
instead of
    SELECT url, title FROM myindex 
    WHERE keyword 
    LIKE '%sql%'

Best regards,
Markus Müller

-- 
Markus Müller, Karlsruhe, www.mm65.de

---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org

Re: Precautions against "SQL Injection"?

[Luca Ciocci <l....@askweb.it>]

Hi, I don't think that is so easy do SQL Injection with Torque, all
query data are SQL Escaped.

Bye!

Il giorno mer, 16/09/2009 alle 11.10 +0200, Graham Leggett ha scritto:
> Markus Müller wrote:
> 
> > are there any precautions against  SQL Injection?
> 
> My understanding is that all SQL statements generated either use
> prepared statements, or their arguments are escaped as per the
> database's requirements.
> 
> If torque allowed sql injection, that would be a major security flaw.
> 
> Regards,
> Graham
> --
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: torque-user-unsubscribe@db.apache.org
For additional commands, e-mail: torque-user-help@db.apache.org

Re: Precautions against "SQL Injection"?

[Graham Leggett <mi...@sharp.fm>]

Markus Müller wrote:

> are there any precautions against  SQL Injection?

My understanding is that all SQL statements generated either use
prepared statements, or their arguments are escaped as per the
database's requirements.

If torque allowed sql injection, that would be a major security flaw.

Regards,
Graham
--