Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> Re: users using &, ", ', and other chars in input fields

Re: users using &, ", ', and other chars in input fields

From: Ed Avis <ed_at_membled.com>
Date: 07 Feb 2004 17:00:01 +0000
Message-ID: <l1ptcqj04u.fsf@budvar.future-i.net> 





Michael Hill <hillmw_at_ram.lmtas.lmco.com> writes:



>As an example users enter double quotes in a text field surrounding a

>specific piece of text they want to hi-lite and then it barfs during

>the oracle insert step because the string is not properly delimited.




Sounds like an SQL injection bug.  What if your user entered



    x'; delete from some_table;



as the value of some field?  Are you confident that such strings
couldn't ever have nasty effects?



If you need to paste together strings of SQL, be very very careful to
quote user input properly, or to restrict it to a known set of
characters.



>Another example is where the ampersand causes trouble when used on an

>xml page so provisions are made to insert it into the table using the

>ascii equavalent &amp; .




This is in fact a similar problem.  You are pasting raw text from the
database into an XML page.  Instead you should store the text
unchanged in the database and make sure to quote it when including it
in the XML.  Why should your database have gobbledygook like &amp; in
text columns just because at the moment you are outputting as XML?


-- 
Ed Avis <ed_at_membled.com>


Received on Sat Feb 07 2004 - 11:00:01 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US