No, I meant for example: if $sht(tbl=>$rU) leads to something important, like a
deletion of something else, and the caller can set $rU arbitrarily...
—
Sent from mobile, apologies for brevity and errors.
On Jan 10, 2023, at 3:35 AM, Daniel-Constantin Mierla
<miconda(a)gmail.com> wrote:
Being careful about sql injection is important for security, but It
should not be the case for htable when using db_mysql, because htable
uses the internal sql-insert db api and the values are escaped
automatically using mysql_real_escape_string(). The db_postgres
connector uses PQescapeStringConn(), iirc db_unixodbc has a modparam for
common escaping.
Of course, if htable is not defined to write to database, then no
concern at all about the key or value and sql injection.
On the other hand, it is important to do safety checks when using
directly sql_query()/sqlops in the config.
Cheers,
Daniel
On 09.01.23 22:06, Alex Balashov wrote:
I know that Noah knows this, but it bears reminding for posterity that one should be
careful with using unsanitised bare PV values as keys, for reasons that are conceptually
similar to the problem of SQL Injection.
-- Alex
--
Alex Balashov
Principal Consultant
Evariste Systems LLC
Web:
https://evaristesys.com
Tel: +1-706-510-6800
--
Daniel-Constantin Mierla --
www.asipto.com
www.twitter.com/miconda --
www.linkedin.com/in/miconda
Kamailio World Conference - June 5-7, 2023 -
www.kamailioworld.com