DS SQL Injection Question

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

DS SQL Injection Question

Justin Dennis-3
Lasso Team -

We have some DS code like this:

ds
->select('c.id AS customerID')
->from('customer c')
->where('c.email' = #email)
->limit(1)

Do we need to ->encodesql the #email variable to prevent possible sql
injection?

We've not been, because we assumed it was handled DS-side. Maybe a bad
assumption.

Thanks for any insights.

- Justin

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>
Reply | Threaded
Open this post in threaded view
|

Re: DS SQL Injection Question

Ke Carlton-3
The short answer is no, not when you pass it pairs:

    #sql->where('this' = #anything)

The longer answer is: Yes, when you pass it a string / raw SQL:

     #sql->where(' this  LIKE "' + #anything->encodesql + '" ')

You can see what ds is doing by using the ->statement method.

Ke







On Sat, Aug 20, 2016 at 10:10 AM Justin Dennis <[hidden email]> wrote:

> Lasso Team -
>
> We have some DS code like this:
>
> ds
> ->select('c.id AS customerID')
> ->from('customer c')
> ->where('c.email' = #email)
> ->limit(1)
>
> Do we need to ->encodesql the #email variable to prevent possible sql
> injection?
>
> We've not been, because we assumed it was handled DS-side. Maybe a bad
> assumption.
>
> Thanks for any insights.
>
> - Justin
>
> #############################################################
>
> This message is sent to you because you are subscribed to
>   the mailing list Lasso [hidden email]
> Official list archives available at http://www.lassotalk.com
> To unsubscribe, E-mail to: <[hidden email]>
> Send administrative queries to  <[hidden email]>
>

#############################################################

This message is sent to you because you are subscribed to
  the mailing list Lasso [hidden email]
Official list archives available at http://www.lassotalk.com
To unsubscribe, E-mail to: <[hidden email]>
Send administrative queries to  <[hidden email]>