Being careful about sql injection is important for security, but It should not be the case for htable when using db_mysql, because htable uses the internal sql-insert db api and the values are escaped automatically using mysql_real_escape_string(). The db_postgres connector uses PQescapeStringConn(), iirc db_unixodbc has a modparam for common escaping.
Of course, if htable is not defined to write to database, then no concern at all about the key or value and sql injection.
On the other hand, it is important to do safety checks when using directly sql_query()/sqlops in the config.
Cheers, Daniel
On 09.01.23 22:06, Alex Balashov wrote:
I know that Noah knows this, but it bears reminding for posterity that one should be careful with using unsanitised bare PV values as keys, for reasons that are conceptually similar to the problem of SQL Injection.
-- Alex
-- Alex Balashov Principal Consultant Evariste Systems LLC Web: https://evaristesys.com Tel: +1-706-510-6800