7e3e69c Don't arbitrarily disallow semicolons in query strings. If you're trying to guard against sql injection, this is not the way (and there would still be statements that don't need a semicolon to work). However, with the string quoting patch I'm quite confident that there can be no sql injection. — HardenedBSD-pkg

HardenedBSD Package Manager

Don't arbitrarily disallow semicolons in query strings. If you're trying to guard against sql injection, this is not the way (and there would still be statements that don't need a semicolon to work). However, with the string quoting patch I'm quite confident that there can be no sql injection.

Rolf Grossmann committed 13 years ago

commit 7e3e69c984b9d25c45a265602f4e4cd282c25e57
parent 90fc28e4648e6d31508b6b8122636cba02b38dcd

1 file changed +0 -4

modified pkg/query.c

@@ -387,10 +387,6 @@ format_sql_condition(const char *str, struct sbuf *sqlcond)

 	type_t state = NONE;
 	sbuf_cat(sqlcond, " WHERE ");
 	while (str[0] != '\0') {
 		if (str[0] == ';') {
 			fprintf(stderr, "';' is forbidden in evaluation format");
 			return (EPKG_FATAL);
 		}
 		if (state == NONE) {
 			if (str[0] == '%') {
 				str++;