[stripbackticks]
| Link | stripbackticks |
| Author | Johan Solve |
| Category | String |
| Version | 8.x |
| License | Public Domain |
| Posted | 25 Sep 2008 |
| Updated | 25 Sep 2008 |
| More by this author... | |
Description
Backticks need to be filtered from user input to prevent SQL injection for example where sortfields can be specified dynamically in a URL.
This tag strips them in the same way as Lasso inlines does it, where everything from a backtick and onward will be dropped.
1. ALWAYS use backticks around MySQL table names and field names (i.e. object names) where they will be dynamically specified in an sql string.
2. Strip backticks from user input that will be used as MySQL object names.
3. Most important: Validate and sanitize all user input! All client input should be considered hostile until proven otherwise.
Sample Usage
-sql='SELECT * FROM mytable ORDER BY `'
+ stripbackticks(action_param('sortfield')) + '`'
Source Code
Click the "Download" button below to retrieve a copy of this tag, including the complete documentation and sample usage shown on this page. Place the downloaded ".inc" file in your LassoStartup folder, restart Lasso, and you can begin using this tag immediately.
define_tag('stripbackticks', -description='Removes backticks (`) from a
string to make it safe for MySQL object names',
-priority='replace',
-required='input');
local('output'=string(#input));
#output = #output -> split('`') -> first;
return(@#output);
/define_tag;
Comments
No comments
