You don't have CVS-access of your own?
/ Martin Nilsson (saturator)
Previous text:
2003-10-22 02:15: Subject: Re: Proposal-patch for documentation of Sql.pike
Oh, BTW. I was asked to ask to explain SQL injections yesterday. Would this ammendment be superfluous in a pike manual?
$ cvs diff -u Sql.pike Index: Sql.pike =================================================================== RCS file: /cvs/Pike/7.5/lib/modules/Sql.pmod/Sql.pike,v retrieving revision 1.68 diff -u -r1.68 Sql.pike --- Sql.pike 30 Jul 2003 02:30:33 -0000 1.68 +++ Sql.pike 22 Oct 2003 00:10:36 -0000 @@ -28,6 +28,20 @@
//! @decl string quote(string s) //! Quote a string @[s] so that it can safely be put in a query. +//! +//! All input that is used in SQL-querys should be quoted to prevent +//! SQL injections. +//! +//! Consider this harmfull code: +//! @code +//! string my_input = "rob' OR name!='rob"; +//! string my_query = "DELETE FROM tblUsers WHERE name='"+my_input+"'"; +//! my_db->query(my_query); +//! @endcode +//! +//! This type of problems can be avoided by quoting @tt{my_input@}. +//! @tt{my_input@} would then probably read something like +//! @i{rob' OR name!='rob@}
function(string:string) quote = .sql_util.quote;
@@ -340,9 +354,16 @@ return ({sprintf(query,@args), b}); }
-//! Send an SQL query to the underlying SQL-server. The result is returned -//! as an array of mappings indexed on the name of the columns. -//! Returns 0 if the query didn't return any result (e.g. INSERT or similar). +//! Send an SQL query to the underlying SQL-server. +//! Returns +//! @ol +//! @item +//! The result as an array of mappings indexed on the name +//! of the columns. +//! @item +//! 0 if the query didn't return any result (e.g. INSERT or similar). +//! @item +//! Throws an exception if the query fails. //! //! @param q //! Query to send to the SQL-server. This can either be a string with the @@ -359,8 +380,12 @@ //! the variable is used. //! //! @code -//! query("select foo from bar where gazonk=:baz", -//! ([":baz":"value"])) ) +//! mixed err = catch { +//! query("SELECT foo FROM bar WHERE gazonk=:baz", +//! ([":baz":"value"])); +//! }; +//! if(!intp(err)) +//! werror("An error occured."); //! @endcode //! //! Binary values (BLOBs) may need to be placed in multisets.
/ Peter Lundqvist (disjunkt)