[Seaside] Avoiding SQL injections with squeak / seaside / mysql
driver
William Harford
seaside at harford.org
Thu Oct 19 20:33:14 UTC 2006
Vincent,
My image has String asEscapedSql it may or may not be in your image
but it is easy to add. Assuming you don't use "s to surround strings
the following should work.
asEscapedSql
^String streamContents: [ :stream |
self do: [ :char |
(#($' $\) includes: char)
ifTrue: [ stream nextPut: char ].
stream nextPut: char ] ]
Just add that method to your string class and call it when putting
strings into the database.
It will make ' look like '' and \ look like \\.
If you are interested in object to relational storage for MySQL or
PostgreSQL have a look at REServe.
http://squeaksource.com/REServe.html
It allows you to store objects in a relational database without ever
having to deal with SQL. It supports polymorphism, collections,
Smalltalk enumeration like queering, and some other nice features.
Currently it is not possible to map existing tables to objects but
that should not be too difficult to do (it might even work now but I
have never tried it).
Enjoy
Will
On Oct 19, 2006, at 12:46 PM, Vincent Girard-Reydet wrote:
> Hello,
>
> I hope this is the right place to ask the question.
> I'm using squeak / seaside and the mysql driver to implement a web
> site with database support.
>
> I wish to avoid SQL injections from user input.
>
> Does anyone know if there is something already in Squeak to do this
> (namely escaping quotes in user input)
>
> Thanks a lot.
>
> Vincent Girard-Reydet
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
More information about the Seaside
mailing list