[Seaside] Avoiding SQL injections with squeak / seaside / mysql
vincent.girard-reydet at f4-group.com
Mon Oct 23 07:33:56 UTC 2006
I don't have asEscapedSql in my image, but I will use the one you
provided to me? Thanks for your answer.
William Harford wrote:
> My image has String asEscapedSql it may or may not be in your image but
> it is easy to add. Assuming you don't use "s to surround strings the
> following should work.
> ^String streamContents: [ :stream |
> self do: [ :char |
> (#($' $\) includes: char)
> ifTrue: [ stream nextPut: char ].
> stream nextPut: char ] ]
> Just add that method to your string class and call it when putting
> strings into the database.
> It will make ' look like '' and \ look like \\.
> If you are interested in object to relational storage for MySQL or
> PostgreSQL have a look at REServe.
> It allows you to store objects in a relational database without ever
> having to deal with SQL. It supports polymorphism, collections,
> Smalltalk enumeration like queering, and some other nice features.
> Currently it is not possible to map existing tables to objects but that
> should not be too difficult to do (it might even work now but I have
> never tried it).
> On Oct 19, 2006, at 12:46 PM, Vincent Girard-Reydet wrote:
>> I hope this is the right place to ask the question.
>> I'm using squeak / seaside and the mysql driver to implement a web
>> site with database support.
>> I wish to avoid SQL injections from user input.
>> Does anyone know if there is something already in Squeak to do this
>> (namely escaping quotes in user input)
>> Thanks a lot.
>> Vincent Girard-Reydet
>> Seaside mailing list
>> Seaside at lists.squeakfoundation.org
> Seaside mailing list
> Seaside at lists.squeakfoundation.org
More information about the Seaside