Re: preventing sql injection
Re: preventing sql injection
- Subject: Re: preventing sql injection
- From: Johan Henselmans <email@hidden>
- Date: Thu, 25 Oct 2007 11:47:57 +0200
Op 24-okt-2007, om 23:53 heeft Q het volgende geschreven:
This isn't SQL injection, it's just a filtering constraint.
SQL injection is when someone enters something like "a' or 'a' =
'a" in your search field and instead of returning some restricted
recordset it returns every row in the table because additional
constraints have been injected into the query. Hence the name.
You are right. Sorry for the misunderstanding.
If you don't want to allow '%' or '*' characters in your qualifier,
remove them before you pass the string to EOF.
Soo....
Is there some formatter or something that will make a search-string
'wildcard-safe'? Or are these home-brewn?
On 24/10/2007, at 6:38 PM, Johan Henselmans wrote:
I have to use a Qualifier with
QualifierOperatorCaseInsensitiveLike as the operator. The problem
is that it will also honor things like '%a%" or "*", which I do
not want. I search for Webobjects and sql injection, but could not
find anything. How do people get rid of the sql wildcards if you
don't want them in your search strings?
Regards,
Johan Henselmans
http://www.netsense.nl
Tel: +31-20-6267538
Fax: +31-20-6273852
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
40gmail.com
This email sent to email@hidden
--
Seeya...Q
Quinton Dolan - email@hidden
Gold Coast, QLD, Australia (GMT+10)
Ph: +61 419 729 806
Regards,
Johan Henselmans
http://www.netsense.nl
Tel: +31-20-6267538
Fax: +31-20-6273852
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Webobjects-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden