10 Jan
2023
10 Jan
'23
11:35 a.m.
Being careful about sql injection is important for security, but It
should not be the case for htable when using db_mysql, because htable
uses the internal sql-insert db api and the values are escaped
automatically using mysql_real_escape_string(). The db_postgres
connector uses PQescapeStringConn(), iirc db_unixodbc has a modparam for
common escaping.
Of course, if htable is not defined to write to database, then no
concern at all about the key or value and sql injection.
On the other hand, it is important to do safety checks when using
directly sql_query()/sqlops in the config.
Cheers,
Daniel
On 09.01.23 22:06, Alex Balashov wrote:
I know that Noah knows this, but it bears reminding
for posterity that one should be careful with using unsanitised bare PV values as keys,
for reasons that are conceptually similar to the problem of SQL Injection.
-- Alex
--
Alex Balashov
Principal Consultant
Evariste Systems LLC
Web: https://evaristesys.com
Tel: +1-706-510-6800
--
Daniel-Constantin Mierla -- www.asipto.com
www.twitter.com/miconda -- www.linkedin.com/in/miconda
Kamailio World Conference - June 5-7, 2023 - www.kamailioworld.com