S
Simon L. Prinsloo
Guest
"quoter is not intended for the purpose at hand"?? Data with embedded quotes originates from users and databases and are not necessarily, malicious data, but needs sanitizing none the less when building dynamic query strings. Sanitizing malicious input may not be the intent, but doing it works exactly the same as sanitizing legitimate data with embedded quotes. QUOTER() was originally introduced with, or closely after, QUERY-PREPARE(), to simplify the process of sanitizing data with embedded quotes. Due to QUOTER's close relation to QUERY-PREPARE(), I would expect them to behave consistent with each other. This means that QUOTER must resolve the octal sequence before it does its work, exactly like its companion that mandated its birth, but is does not. With a bit of a stretch, I can call that a bug. Even if nobody thought of it as a tool to resolve malicious use, enhancing it to be consistent with QUERY-PREPARE() would be the very simple solution to fix this and, as a bonus, safeguard all existing code against malicious attack. Think about it: If QUOTER() properly resolve octal sequences up front, sanitizing would work correctly for malicious cases as well, because then even possible comments will simply become part of the string and loose their special meaning to the query parser.
Continue reading...
Continue reading...