[Esapi-dev] MySQL escaping
mike.boberski at gmail.com
Sun Jan 10 19:24:42 EST 2010
Andrew had some thoughts about this, if he has the cycles to chime in. My
notes about this from talking with him are at my office.
On Sun, Jan 10, 2010 at 6:36 PM, Jim Manico <jim.manico at owasp.org> wrote:
> I've been told that replacing ' with '' for MySQL encoding is not
> enough. But I'm not sure that I agree. I did some testing, and for
> queries like
> select id from person where name = '$data';
> simply doing $data = $data.replace("'", "''")
> is sufficient and accurate encoding, so long as no-backslash-escapes
> mode is on, which is default in (at least) the latest MySQL 5 branch.
> Does anyone have experience with this?
> Jim Manico
> OWASP Podcast Host/Producer
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Esapi-dev