undefine do not escape function name parameter (just use plain %s format specifier) which can lead to SQL injection if non-trusted user can create custom functions like this: select define('f ''; drop table innocent; --', '1');
sqlean must use dedicated %q and %wspecifiers which automatically duplicate single(')/double quote(") in order to avoid such issues.
nalgeon
commented
2 months ago
Context
undefinedo not escape function name parameter (just use plain%sformat specifier) which can lead to SQL injection if non-trusted user can create custom functions like this:select define('f ''; drop table innocent; --', '1');sqleanmust use dedicated%qand%wspecifiers which automatically duplicate single(')/double quote(") in order to avoid such issues.