This is the new home of the egghelp.org community forum.
All data has been migrated (including user logins/passwords) to a new phpBB version.


For more information, see this announcement post. Click the X in the top right-corner of this box to dismiss this message.

[solved-ish] prevent sql injection?

Help for those learning Tcl or writing their own scripts.
Post Reply
l
lenore
Voice
Posts: 9
Joined: Sat Mar 15, 2008 5:48 am

[solved-ish] prevent sql injection?

Post by lenore »

does tcl have a nice function for preventing sql injection? a wash function maybe? or am i just gonna have to regexp for ' " ; etc and escape them?
Last edited by lenore on Sat Mar 22, 2008 10:29 pm, edited 1 time in total.
User avatar
speechles
Revered One
Posts: 1398
Joined: Sat Aug 26, 2006 10:19 pm
Location: emerald triangle, california (coastal redwoods)

Post by speechles »

Code: Select all

set washed [string map {" \" ' \' ; \;} $text]
User avatar
Sir_Fz
Revered One
Posts: 3794
Joined: Sun Apr 27, 2003 3:10 pm
Location: Lebanon
Contact:

Post by Sir_Fz »

Actually that'll cause an error, use

Code: Select all

set washed [string map {\" \\\" ' \\' ; \\;} $text]
l
lenore
Voice
Posts: 9
Joined: Sat Mar 15, 2008 5:48 am

Post by lenore »

thanks chaps :) (goes to post the next question)
m
metroid
Owner
Posts: 771
Joined: Wed Jun 16, 2004 2:46 am

Post by metroid »

If you use mysqltcl then mysql::escape should work fine.
User avatar
rosc2112
Revered One
Posts: 1454
Joined: Sun Feb 19, 2006 8:36 pm
Location: Northeast Pennsylvania

Post by rosc2112 »

A good general security rule, when dealing with suspect input, is to have a list of allowed chars (A-Za-z0-9, etc), rather than a list of disallowed chars (more likely to overlook some chars when trying to disallow.) The allowed list would likely be shorter as well.
l
lenore
Voice
Posts: 9
Joined: Sat Mar 15, 2008 5:48 am

Post by lenore »

rosc2112 wrote:A good general security rule, when dealing with suspect input, is to have a list of allowed chars (A-Za-z0-9, etc), rather than a list of disallowed chars (more likely to overlook some chars when trying to disallow.) The allowed list would likely be shorter as well.
good point, thankyou
Post Reply