2 Nov
2018
2 Nov
'18
6:29 a.m.
On 02-11-18 11:06, Dom Latter wrote:
On 30/10/2018 18:06, Stefan Winter wrote:
Hi,
Not a problem if the queries are properly escaped or parameterised.
That's what the "safe_characters" configuration does. Allows "safe" characters, and escapes everything else.
Well, to be fair to the OP: using prepared statements would make all those escaping adventures obsolete.
Or just using conventional escape mechanisms (e.g. mysql_real_escape_string()).
The master branch actually has code like that: every SQL backend can have a specialised `sql_escape_func` that uses a sane escape method. It might be a nice thing to backport to v3.0.x as well (with a config option to enable it, it would break backwards compatibility otherwise) -- Herwin Weststrate