[OpenSER-Devel] TEXT vs BLOB data in database modules
Henning Westerholt
henning.westerholt at 1und1.de
Mon Apr 21 13:04:08 CEST 2008
On Monday 21 April 2008, Dan Pascu wrote:
> > Right, this is one more reason for having in the DB API a clear
> > distinction between the string-like and blob-like types.
>
> SQL injection can happen with any of blob, text, char, varchar if not
> escaped. There is no distinction between the 2 regarding this issue.
Hi Dan,
at least db_mysql and db_postgres uses escaping functions for DB_STRING,
DB_STR and DB_BLOB.
Iouri, how is this handled in the db_oracle module?
For db_unixodbc there is a common escaping function used, but its for default
not activated. Perhaps this should be changed?
Cheers,
Henning
More information about the Devel
mailing list