search

cosmocode / sqlite

DokuWiki helper plugin to make SQLite access easier for other plugins
https://www.dokuwiki.org/plugin:sqlite
19 stars 9 forks source link

Problem with escaping identifiers #47

Closed solewniczak closed 7 months ago

solewniczak commented 7 years ago

According to: https://sqlite.org/lang_keywords.html SQLite distinguish between two string quotations:

  1. a sting literal, escaped in single quotes ''
  2. an identifier, escaped in double-quotes: ""

Current implementation of \helper_plugin_sqlite::query escapes all the arguments as a string literals and it cannot be used to escape identifiers (as for example ORDER BY $something) which force programmers to concatenate the identifiers directly into SQL query string which may lead to security issue.

annda commented 7 months ago

@splitbrain I believe this issue is no longer relevant in the refactored version of the plugin. Can it be closed?

splitbrain commented 7 months ago

I guess so.