[OpenSER-Devel] TEXT vs BLOB data in database modules
Iouri Kharon
bc-info at styx.cabel.net
Mon Apr 21 16:07:50 CEST 2008
Hi Henning!
Monday, April 21, 2008, you wrote:
>> SQL injection can happen with any of blob, text, char, varchar if not
>> escaped. There is no distinction between the 2 regarding this issue.
> at least db_mysql and db_postgres uses escaping functions for DB_STRING,
> DB_STR and DB_BLOB.
> Iouri, how is this handled in the db_oracle module?
This depends on what you are meaning :). If you mean the driver implementation,
this does not use escaping - because variable binding is used, and there are no
problems with the "boundaries" of substring (in particular, this is why I wish to
expand db-api in such a way that the modules do not use db_rawquery).
However, if the meaning is whether oracle has escaping at all, the answer would
be... "not quite" :). Oracle conceives '' as a single ', while for the transfer of
nonprintable characters, string concatenation can be used. For example, if we want
to transfer something like the string "abc\0cde" in the string-form sql-request,
then we shoild write this as follows: 'abc'||to_char(0)||'cde' .
By the way, this all is valid for fields of the VARCHAR and CLOB field types,
whereas with BLOB this does not work - from the standpoint of Oracle, BLOB cannot
at all be represented in the text form.
Best regards,
Iouri mailto:bc-info at styx.cabel.net
More information about the Devel
mailing list