[Esapi-dev] MySQL escaping

Mike Boberski mike.boberski at gmail.com
Sun Jan 10 19:24:42 EST 2010


Andrew had some thoughts about this, if he has the cycles to chime in. My
notes about this from talking with him are at my office.

Mike


On Sun, Jan 10, 2010 at 6:36 PM, Jim Manico <jim.manico at owasp.org> wrote:

> I've been told that replacing ' with '' for MySQL encoding is not
> enough. But  I'm not sure that I agree. I did some testing, and for
> queries like
>
> select id from person where name = '$data';
>
> simply doing $data = $data.replace("'", "''")
>
> is sufficient and accurate encoding, so long as no-backslash-escapes
> mode is on, which is default in (at least) the latest MySQL 5 branch.
>
>
> http://dev.mysql.com/doc/refman/5.1/en/server-sql-mode.html#sqlmode_no_backslash_escapes
>
> Does anyone have experience with this?
>
> --
> Jim Manico
> OWASP Podcast Host/Producer
> http://www.manico.net
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/esapi-dev/attachments/20100110/70d9276b/attachment.html 


More information about the Esapi-dev mailing list