[solved-ish] prevent sql injection?

lenore · Post by **lenore** » Sat Mar 22, 2008 1:20 pm

does tcl have a nice function for preventing sql injection? a wash function maybe? or am i just gonna have to regexp for ' " ; etc and escape them?

speechles · Post by **speechles** » Sat Mar 22, 2008 2:09 pm

Code: Select all

set washed [string map {" \" ' \' ; \;} $text]

Post by **Sir_Fz** » Sat Mar 22, 2008 5:52 pm

Actually that'll cause an error, use

Code: Select all

set washed [string map {\" \\\" ' \\' ; \\;} $text]

lenore · Post by **lenore** » Sat Mar 22, 2008 10:28 pm

thanks chaps

(goes to post the next question)

metroid · Post by **metroid** » Sun Mar 23, 2008 2:01 am

If you use mysqltcl then mysql::escape should work fine.

rosc2112 · Post by **rosc2112** » Sun Mar 23, 2008 2:25 am

A good general security rule, when dealing with suspect input, is to have a list of allowed chars (A-Za-z0-9, etc), rather than a list of disallowed chars (more likely to overlook some chars when trying to disallow.) The allowed list would likely be shorter as well.

lenore · Post by **lenore** » Fri Mar 28, 2008 12:25 pm

rosc2112 wrote:A good general security rule, when dealing with suspect input, is to have a list of allowed chars (A-Za-z0-9, etc), rather than a list of disallowed chars (more likely to overlook some chars when trying to disallow.) The allowed list would likely be shorter as well.

good point, thankyou