[OpenSER-Devel] TEXT vs BLOB data in database modules

Henning Westerholt henning.westerholt at 1und1.de
Mon Apr 21 13:04:08 CEST 2008


On Monday 21 April 2008, Dan Pascu wrote:
> > Right, this is one more reason for having in the DB API a clear
> > distinction between the string-like and blob-like types.
>
> SQL injection can happen with any of blob, text, char, varchar if not
> escaped. There is no distinction between the 2 regarding this issue.

Hi Dan,

at least db_mysql and db_postgres uses escaping functions for DB_STRING, 
DB_STR and DB_BLOB.

Iouri, how is this handled in the db_oracle module?

For db_unixodbc there is a common escaping function used, but its for default 
not activated. Perhaps this should be changed?

Cheers,

Henning



More information about the Devel mailing list