[erlang-questions] String and single quote escaping

Jon Schneider jon@REDACTED
Wed Oct 8 17:37:11 CEST 2014


Raffaele is correct. Don't ever try to escape things yourself. Just don't.
Really.

On a related note I've quite recently seen authentication code in C trying
to pass strings through the shell using system() or popen() to another
executable by escaping it and that similarly goes wrong because the writer
wasn't aware of the detailed rules (of single quotes in this case). The
code should have been fork()...exec() and not touched the shell. Not that
shells ever do bad things.

Jon

> On 10/08, Raffaele Intorcia wrote:
>> Now, i have to create a string that will be passed as query to a
>> sqlserver
>> so i need to escape the single quote. To do this i'm using re:replace
>> for
>> example with these syntax :
>
> DO NOT DO THIS!
> DO NOT DO THIS!
> DO NOT DO THIS!
>
> Please, don't escape SQL strings yourself! That is not safe in general.
> Years of PHP with mysql_escape_string() and mysql_real_escape_string()
> have only helped prove that point (they have been supplanted by prepared
> statements in mysqli and PDO). Nothing good can happen with this.
>
> Try to use concepts such as prepared statements or extended queries.
>
> For example, using Emysql:
> https://github.com/Eonblast/Emysql#Executing_Prepared_Statements
> Or using epgsql:
> https://github.com/epgsql/epgsql/blob/master/README#L137-L145
>
> Manual escaping of SQL queries is a recipe both for disaster and
> incommensurable pain, both for yourself and your users who tend to trust
> you to store their data properly.
>
> If your library doesn't support that kind of stuff, please use another
> library.
>
> Regards,
> Fred.
> _______________________________________________
> erlang-questions mailing list
> erlang-questions@REDACTED
> http://erlang.org/mailman/listinfo/erlang-questions
>
>




More information about the erlang-questions mailing list