[erlang-questions] String and single quote escaping
Fred Hebert
mononcqc@REDACTED
Wed Oct 8 17:16:25 CEST 2014
On 10/08, Raffaele Intorcia wrote:
> Now, i have to create a string that will be passed as query to a sqlserver
> so i need to escape the single quote. To do this i'm using re:replace for
> example with these syntax :
DO NOT DO THIS!
DO NOT DO THIS!
DO NOT DO THIS!
Please, don't escape SQL strings yourself! That is not safe in general.
Years of PHP with mysql_escape_string() and mysql_real_escape_string()
have only helped prove that point (they have been supplanted by prepared
statements in mysqli and PDO). Nothing good can happen with this.
Try to use concepts such as prepared statements or extended queries.
For example, using Emysql: https://github.com/Eonblast/Emysql#Executing_Prepared_Statements
Or using epgsql: https://github.com/epgsql/epgsql/blob/master/README#L137-L145
Manual escaping of SQL queries is a recipe both for disaster and
incommensurable pain, both for yourself and your users who tend to trust
you to store their data properly.
If your library doesn't support that kind of stuff, please use another
library.
Regards,
Fred.
More information about the erlang-questions
mailing list