Andrew N wrote: > Hello. > I have a quick question. > > I am going to take a form input from users to our web site and write a > database record based on it. Pretty common I know. I've done it > before, but now I am more concerned about security because the form > field that is being logged will go verbatim into the database. > > I am running 4.9.5. Is there a native tag or does someone have a > useful perl statement(s) that would strip out harmful characters and > avoid things like SQL bombs. Interchange has a [filter] tag that, given the type of filter as an argument, can do what you want. In your case, you're interested in the 'sql' filter: [filter op=sql interpolate=1][cgi my_raw_form_data][/filter] There are numerous other useful filters for all manner of data transformation in addition to this one. A word of caution on the sql filter in 4.9. Your version escapes by the SQL-standard of doubling up single quotes. Unfortunately, databases such as MySQL and Postgres also allow backslash escaping, which means it's still possible to produce SQL injections using a combination of single quotes and backslashes. The current IC uses the native DBI quote method so that escapes for a particular database are handled properly according to its particular DBD. Mark -- Mark Johnson End Point Corp. _______________________________________________ interchange-users mailing list suppressed http://www.icdevgroup.org/mailman/listinfo/interchange-users
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.