On 30/10/2018 18:06, Stefan Winter wrote:
Hi,
Not a problem if the queries are properly escaped or parameterised.
That's what the "safe_characters" configuration does. Allows "safe" characters, and escapes everything else.
Well, to be fair to the OP: using prepared statements would make all those escaping adventures obsolete.
Or just using conventional escape mechanisms (e.g. mysql_real_escape_string()).
In other projects, I learned to love the ability to defer all escaping questions to the library, and just send the stuff I want to send, with peace of mind that this is exactly what will end up in the DB.
My account management system is written using the Yii PHP framework, and it uses PDO, hence apostrophes etc. safely ending up in the database. It's a long time since I wrote in C but I am guessing that the following added to sql_escape_func() inside rlm_sql.c would sort it: case '\'': if (outlen <= 2) break; out[0] = '\\'; out[1] = '\''; in++; out += 2; outlen -= 2; len += 2; break;