[Seaside] Avoiding SQL injections with squeak / seaside / mysql driver

Vincent Girard-Reydet vincent.girard-reydet at f4-group.com
Mon Oct 23 07:33:56 UTC 2006


Hi William,

I don't have asEscapedSql in my image, but I will use the one you 
provided to me? Thanks for your answer.

Vincent

William Harford wrote:
> Vincent,
> 
> My image has String asEscapedSql it may or may not be in your image but 
> it is easy to add. Assuming you don't use "s to surround strings the 
> following should work.
> 
> asEscapedSql
>     ^String streamContents: [ :stream |
>         self do: [ :char |
>             (#($' $\) includes: char)
>                 ifTrue: [ stream nextPut: char ].
>             stream nextPut: char ] ]
> 
> Just add that method to your string class and call it when putting 
> strings into the database.
> 
> It will make ' look like '' and \ look like \\.
> 
> If you are interested in object to relational storage for MySQL or 
> PostgreSQL have a look at REServe.
> 
> http://squeaksource.com/REServe.html
> 
> It allows you to store objects in a relational database without ever 
> having to deal with SQL. It supports polymorphism, collections, 
> Smalltalk enumeration like queering, and some other nice features. 
> Currently it is not possible to map existing tables to objects but that 
> should not be too difficult to do (it might even work now but I have 
> never tried it).
> 
> Enjoy
> Will
> 
> On Oct 19, 2006, at 12:46 PM, Vincent Girard-Reydet wrote:
> 
>> Hello,
>>
>> I hope this is the right place to ask the question.
>> I'm using squeak / seaside and the mysql driver to implement a web 
>> site with database support.
>>
>> I wish to avoid SQL injections from user input.
>>
>> Does anyone know if there is something already in Squeak to do this 
>> (namely escaping quotes in user input)
>>
>> Thanks a lot.
>>
>> Vincent Girard-Reydet
>> _______________________________________________
>> Seaside mailing list
>> Seaside at lists.squeakfoundation.org
>> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> 
> _______________________________________________
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
> 



More information about the Seaside mailing list