Index: Sql.pike =================================================================== RCS file: /cvs/Pike/7.5/lib/modules/Sql.pmod/Sql.pike,v retrieving revision 1.68 diff -u -r1.68 Sql.pike --- Sql.pike 30 Jul 2003 02:30:33 -0000 1.68 +++ Sql.pike 22 Oct 2003 13:46:49 -0000 @@ -28,6 +28,27 @@
//! @decl string quote(string s) //! Quote a string @[s] so that it can safely be put in a query. +//! +//! All input that is used in SQL-querys should be quoted to prevent +//! SQL injections. +//! +//! Consider this harmfull code: +//! @code +//! string my_input = "rob' OR name!='rob"; +//! string my_query = "DELETE FROM tblUsers WHERE name='"+my_input+"'"; +//! my_db->query(my_query); +//! @endcode +//! +//! This type of problems can be avoided by quoting @tt{my_input@}. +//! @tt{my_input@} would then probably read something like +//! @i{rob' OR name!='rob@} +//! +//! Usually this is done - not by calling quote explicitly - but through +//! using a @[sprintf] like syntax +//! @code +//! string my_input = "rob' OR name!='rob"; +//! my_db->query("DELETE FROM tblUsers WHERE name=%s",my_input); +//! @endcode
function(string:string) quote = .sql_util.quote;
@@ -340,9 +361,20 @@ return ({sprintf(query,@args), b}); }
-//! Send an SQL query to the underlying SQL-server. The result is returned -//! as an array of mappings indexed on the name of the columns. -//! Returns 0 if the query didn't return any result (e.g. INSERT or similar). +//! Send an SQL query to the underlying SQL-server. +//! @returns +//! Returns one of the following on success: +//! @mixed +//! @type array(mapping(string:string)) +//! The result as an array of mappings indexed on the name +//! of the columns +//! @type zero +//! The value @expr{0@} (zero) if the query didn't return any +//! result (eg @tt{INSERT@} or similar). +//! @endmixed +//! +//! @throws +//! Throws an exception if the query fails. //! //! @param q //! Query to send to the SQL-server. This can either be a string with the @@ -359,8 +391,12 @@ //! the variable is used. //! //! @code -//! query("select foo from bar where gazonk=:baz", -//! ([":baz":"value"])) ) +//! mixed err = catch { +//! query("SELECT foo FROM bar WHERE gazonk=:baz", +//! ([":baz":"value"])); +//! }; +//! if(!intp(err)) +//! werror("An error occured."); //! @endcode //! //! Binary values (BLOBs) may need to be placed in multisets.
/ Peter Lundqvist (disjunkt)
Previous text:
2003-10-22 13:26: Subject: Re: Proposal-patch for documentation of Sql.pike
Good point.
/ Peter Lundqvist (disjunkt)