On 23/01/2008, Jochem Maas <[EMAIL PROTECTED]> wrote:
> Dotan Cohen schreef:
> > I'm not accepting "--" at all until someone can show me a real world
> > case where one would use it, without the intention of SQL injection.
> > How can it be escaped, anyway?
>
> I might just want to put '--' in a textfield used as the basis for content
> for a webpage. just because I want to. the most pertinent example are wikis,
> they use '--' as markup (which is usually transformed into an <hr /> when the
> results are output for viewing ... but obviously you want the original markup
> when editing.
Just because I want to is not a real world example. The wiki bit is.
> INSERT INTO foo (textfield) VALUES ('--');
>
> nothing to escape in the case of a those chars being part of a string, the
> escaping
> mechanism [hopefully] ensures that a given string will never contain a byte
> sequence that
> the query parser will misinterpret as a sign to end the string (before the
> last intend quote
> delimiter) prematurely and thereby treat the remainder of the input string as
> SQL.
Is the "--" here not treated as the beginning of an SQL comment?
Dotan Cohen
http://what-is-what.com
http://gibberish.co.il
א-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
