[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Monotone-devel] [PATCH] New typesafe VA_ARGS replacement for databa
From: |
Christof Petig |
Subject: |
Re: [Monotone-devel] [PATCH] New typesafe VA_ARGS replacement for database with operator % style |
Date: |
Wed, 25 Jan 2006 08:53:32 +0100 |
User-agent: |
Mail/News 1.5 (X11/20060119) |
Glen Ditchfield wrote:
> But does that ensure that the right thing will happen if the parameter has a
> single quote in it?
>
> By the way, here is what monotone 0.23 on SuSE 9.2 does in one case:
> [~]$ monotone ls certs a:o\'toole
> monotone: expanding selection 'a:o'toole'
> monotone: error: sqlite error: 1: near "toole": syntax error
> monotone: error: make sure database and containing directory are writeable
I do not trust the string mangling done in the selector code! A rewrite
to use query parameter would be a good idea. But that's not my cup of
tea (trying to port cvssync to rosters) I can confirm that different
parts are indead sql injection proof.
Christof
signature.asc
Description: OpenPGP digital signature