List:General Discussion« Previous MessageNext Message »
From:Michael Dykman Date:October 31 2009 11:52pm
Subject:Re: insert .. values('OH'No')
View as plain text  
Nope,  nothing you can do on the server end.  The server will only
accept syntactically correct SQL statement and broken strings will
undermine that.

In practice, if you are careful to at least escape the quotes  (ie '
--> \' ), you can avoid nasty SQL injection attacks, although some
statements may sill be broken..  in some contexts, % and & are also
candidates..

How is your home-made scipting language connecting to MySQL?  If you
are using the MySQL C library, there is an 'escape string' function
designed specifically to clean up strings which are to be used as
values in SQL statement..   I don't know the name of that function off
the top of my head, but I"m pretty sure 'escape' is the keyword.

 - michael dykman

On Sat, Oct 31, 2009 at 7:29 PM, Sydney Puente <sydneypuente@stripped> wrote:
> Thanks michael,
>
> Good question/observation - I am using a main stream language - an almost-homemade
> scripting language
> which does have a "replace" functionality which allows me to replave a ' with \' - on
> a
> per field basis - as i have which dozens of fields to attend to, and would have to
> code this for each field.
>
> Which is a bit clunky.
> Anything I can do at the server end? Version 5.0.45.
>
> TIA
>
> Syd
>
>>Yes, there are plenty of smart ways to deal with this.  Each of them
>>is somewhat dependant on whatever general purpose programming language
>>you are using and/or the environment you are working in.
>
>>In PHP we have mysql_escape_string() or PDO, in perl and Java, among
>>others, prepared statements are generally used.  python appears to use
>>prepared statements under the covers.. it provides an similar
>>facility, at any rate.
>
>>What are you working in?
>
>  >- michael dykman
>
>
>>On Fri, Oct 30, 2009 at 12:06 PM, Sydney Puente <sydneypuente@stripped>
> wrote:
>>> Hello,
>>>
>>> I am populating mysql with data, from an external source, that now and again
> in
>>> different fields has single quotes within the data intended to be inserted
> into varchars.
>>> This causes a sql parse error.
>>> Is there are smart way of dealing with this?
>>>
>>> TIA
>>>
>>> Syd
>
>
>
>



-- 
 - michael dykman
 - mdykman@stripped

"May you live every day of your life."
    Jonathan Swift
Thread
insert .. values('OH'No')Sydney Puente1 Nov
  • Re: insert .. values('OH'No')Michael Dykman1 Nov