17 Sep
2021
17 Sep
'21
9:51 a.m.
On Sep 17, 2021, at 9:14 AM, Antônio Modesto <modesto@hubsoft.com.br> wrote:
That's really a problem. I did some tests and I don't think it is possible to do sql injection without allowing a single quote in safe_characters. Am I missing something?
Backslashes? Various other things? You'll have to investigate your particular database in detail to see what's possible. We've listed what we know is safe. Anything else is potentially dangerous. Alan DeKok.