single quote problem
in [TCL]
|
From: Mel on 5 Sep 2009 09:34 The following code fails because of the single quote around "World". I fyou look at the query itself, detail is surrounded by single quote and therefore it fails on inclusion of any single quote. How can one avoid this situation ? thanks in advance. set id 1000 set detail "Hello 'World'" set query { INSERT INTO article (id, detail) VALUES ($id, '$deatil') } set test [subst $query] dbh eval $test
From: Gerald W. Lester on 5 Sep 2009 11:44 Mel wrote: > The following code fails because of the single quote around "World". I > fyou look at the query itself, detail is surrounded by single quote > and therefore it fails on inclusion of any single quote. How can one > avoid this situation ? > thanks in advance. > > set id 1000 > set detail "Hello 'World'" > > set query { > INSERT INTO article (id, detail) VALUES ($id, '$deatil') > } > > set test [subst $query] > > dbh eval $test What you are talking about is properly called an SQL Insertion Attack (see http://en.wikipedia.org/wiki/SQL_injection). Note -- this has *NOTHING* to do with Tcl. The answer is to use bind/bound parameters. The exact syntax depends on the database extension (or the tcldb that will be in Core in 8.6) you are using which you did not identify. The other option is to do a [string map] on detail to substitute two single quotes where ever there is one. -- +------------------------------------------------------------------------+ | Gerald W. Lester | |"The man who fights for his ideals is the man who is alive." - Cervantes| +------------------------------------------------------------------------+
From: Mel on 6 Sep 2009 08:28 Thanks for you reply. I do however think it is a substitution problem; consider the following: set id 1000 set detail "Hello 'World'" set x{ Jack of all Trades $id, '$deatil " { [' } set test [subst $x] ; <<< still fails There must be a way of not interpreting the string. I hope you agree ;-) On Sep 5, 11:44 am, "Gerald W. Lester" <Gerald.Les...(a)cox.net> wrote: > Mel wrote: > > The following code fails because of the singlequotearound "World". I > > fyou look at the query itself, detail is surrounded by singlequote > > and therefore it fails on inclusion of any singlequote. How can one > > avoid this situation ? > > thanks in advance. > > > set id 1000 > > set detail "Hello 'World'" > > > set query { > > INSERT INTO article (id, detail) VALUES ($id, '$deatil') > > } > > > set test [subst $query] > > > dbh eval $test > > What you are talking about is properly called an SQL Insertion Attack (seehttp://en.wikipedia.org/wiki/SQL_injection). > > Note -- this has *NOTHING* to do with Tcl. > > The answer is to use bind/bound parameters. The exact syntax depends on the > database extension (or the tcldb that will be in Core in 8.6) you are > using which you did not identify. > > The other option is to do a [stringmap] on detail to substitute two single > quotes where ever there is one. > > -- > +------------------------------------------------------------------------+ > | Gerald W. Lester | > |"The man who fights for his ideals is the man who is alive." - Cervantes| > +-----------------------------------------------------------------------
From: Arndt Roger Schneider on 6 Sep 2009 10:00 Mel schrieb: > Thanks for you reply. I do however think it is a substitution problem; > consider the following: > > set id 1000 > set detail "Hello 'World'" > > set x { Jack of all Trades $ID, '$deatil " \{ [' } set test [subst $x] -> missing close bracket set test [subst -nocommands $x] -> Jack of all Trades 3, 'errr " { [' Side-Note: I've used different values for ID and deatil. subst evaluates [] as command sequences as it also will substitute backslashes. > > There must be a way of not interpreting the string. I hope you > agree ;-) > > > On Sep 5, 11:44 am, "Gerald W. Lester" <Gerald.Les...(a)cox.net> wrote: > >>Mel wrote: >> >>>The following code fails because of the singlequotearound "World". I >>>fyou look at the query itself, detail is surrounded by singlequote >>>and therefore it fails on inclusion of any singlequote. How can one >>>avoid this situation ? >>>thanks in advance. >> >>>set id 1000 >>>set detail "Hello 'World'" >> >>>set query { >>> INSERT INTO article (id, detail) VALUES ($id, '$deatil') >>>} >> >>>set test [subst $query] >> >>>dbh eval $test >> >>What you are talking about is properly called an SQL Insertion Attack (seehttp://en.wikipedia.org/wiki/SQL_injection). >> >>Note -- this has *NOTHING* to do with Tcl. >> >>The answer is to use bind/bound parameters. The exact syntax depends on the >> database extension (or the tcldb that will be in Core in 8.6) you are >>using which you did not identify. >> >>The other option is to do a [stringmap] on detail to substitute two single >>quotes where ever there is one. >> >>-- >>+------------------------------------------------------------------------+ >>| Gerald W. Lester | >>|"The man who fights for his ideals is the man who is alive." - Cervantes| >>+-----------------------------------------------------------------------
From: Gerry Snyder on 6 Sep 2009 11:02 Mel wrote: > Thanks for you reply. I do however think it is a substitution problem; > consider the following: > > set id 1000 > set detail "Hello 'World'" > > set x{ > Jack of all Trades $id, '$deatil " { [' > > } > > set test [subst $x] ; <<< still fails > > There must be a way of not interpreting the string. I hope you > agree ;-) This looks like a retyping of what you actually ran. I assume there was actually a space between the "x" and the "{" ? Please Copy and Paste whenever possible, and be extremely careful typing when retyping is necessary. Otherwise folks will waste time finding typos rather than debugging your code. Gerry
|
Next
|
Last
Pages: 1 2 Prev: Possible bug in Tcl or Windows or Tcl on Windows Next: tcl/tk wish for seismic data display |