On 23/01/2008, Jochem Maas <jochem@xxxxxxxxxxxxx> wrote:> Dotan Cohen schreef:> > I'm not accepting "--" at all until someone can show me a real world> > case where one would use it, without the intention of SQL injection.> > How can it be escaped, anyway?>> I might just want to put '--' in a textfield used as the basis for content> for a webpage. just because I want to. the most pertinent example are wikis,> they use '--' as markup (which is usually transformed into an <hr /> when the> results are output for viewing ... but obviously you want the original markup> when editing.
Just because I want to is not a real world example. The wiki bit is.
> INSERT INTO foo (textfield) VALUES ('--');>> nothing to escape in the case of a those chars being part of a string, the escaping> mechanism [hopefully] ensures that a given string will never contain a byte sequence that> the query parser will misinterpret as a sign to end the string (before the last intend quote> delimiter) prematurely and thereby treat the remainder of the input string as SQL.
Is the "--" here not treated as the beginning of an SQL comment?
Dotan Cohen
http://what-is-what.comhttp://gibberish.co.ilא-ב-ג-ד-ה-ו-ז-ח-ט-י-ך-כ-ל-ם-מ-ן-נ-ס-ע-ף-פ-ץ-צ-ק-ר-ש-ת;
A: Because it messes up the order in which people normally read text.Q: Why is top-posting such a bad thing?
