Preared statement syntax... is database dependent
Posted Jun 4, 2006 6:12 UTC (Sun) by dps
Parent article: SQL injection vulnerabilities in PostgreSQL
Assuming I read the psoitgresql documentations straight you should change that ? into $1 when using postgreSQL (or Oracle, which I beleive would also allows you to use $foo too).
MySQL and ODBC want a ? as shown in the aticle.
If you are targeting the same query at both MySQL and postreSQL either doing utf8-aware string escaping, not using a multibyte character set (e.g. latin1), or implementing per-backend query syntax conversion is required. My code converts $<number> to ? becuase it makes the string shorter and is therefore easier to implement.
Of course the psotgreSQL fix will test your exception handling capabilites when that query containing invalid utf-8 gets rejected for this reason.
Also note that the 2nd (and 3rd, 4th, 5th and 6th) bytes in UTF-8 must satisfy (v & 0xc0==0x80). 0xc8 0x81 is valid UTF 8. 0xc8 0x5c and 0xc8 0xff are not valid UTF-8. Incidently 0xfe and 0xff *never* appear in valid UTF-8.
to post comments)