[Seaside] Avoiding SQL injections with squeak / seaside / mysql driver

William Harford seaside at harford.org
Thu Oct 19 20:33:14 UTC 2006


Vincent,

My image has String asEscapedSql it may or may not be in your image  
but it is easy to add. Assuming you don't use "s to surround strings  
the following should work.

asEscapedSql
	^String streamContents: [ :stream |
		self do: [ :char |
			(#($' $\) includes: char)
				ifTrue: [ stream nextPut: char ].
			stream nextPut: char ] ]

Just add that method to your string class and call it when putting  
strings into the database.

It will make ' look like '' and \ look like \\.

If you are interested in object to relational storage for MySQL or  
PostgreSQL have a look at REServe.

http://squeaksource.com/REServe.html

It allows you to store objects in a relational database without ever  
having to deal with SQL. It supports polymorphism, collections,  
Smalltalk enumeration like queering, and some other nice features.  
Currently it is not possible to map existing tables to objects but  
that should not be too difficult to do (it might even work now but I  
have never tried it).

Enjoy
Will

On Oct 19, 2006, at 12:46 PM, Vincent Girard-Reydet wrote:

> Hello,
>
> I hope this is the right place to ask the question.
> I'm using squeak / seaside and the mysql driver to implement a web  
> site with database support.
>
> I wish to avoid SQL injections from user input.
>
> Does anyone know if there is something already in Squeak to do this  
> (namely escaping quotes in user input)
>
> Thanks a lot.
>
> Vincent Girard-Reydet
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside



More information about the Seaside mailing list