On Mon, Oct 7, 2013 at 8:54 AM, Jeroen De Dauw jeroendedauw@gmail.comwrote:
Hey,
When constructing an SQL string, how should the following things be escaped, if at all?
- Field names
* Index names
It looks like when doing a select using the Database MW thing, the field names provided do not get escaped at all.
The "field names" are really arbitrary sql at this point, and a few too many places in MW core abuse this last I checked. The presumption is that user-controlled data should never go into the filed name.
If you are writing an enhancement to this, you should wrap them in ` and escape ` characters in the name. DatabaseBase::addIdentifierQuotes wraps, but doesn't escape.
Cheers
-- Jeroen De Dauw http://www.bn2vs.com Don't panic. Don't be evil. ~=[,,_,,]:3 -- _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l