Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Ted Behling (TBehlingMonarchIS.net)
Date: Wed Jun 19 2002 - 22:16:16 CDT
At 10:09 PM 6/19/2002, Steven J. Sobol wrote:
>On Wed, 19 Jun 2002, Ted Behling wrote:
> > >Yeahbut, lots of % in your SQL query can actually be more dangerous....
> > Not if you don't use the LIKE operator.
>And what if you end up in a situation where you need to?
Then you would escape your percent-signs, although this defeats the purpose
of the original questioner's URL-encoding: to avoid escaping quotes.
As an aside, I think URL encoding data to avoid SQL-injection attacks is
ridiculous. I've never found a good reason to URL encode data other than
using the data in a URL. If you need to write binary data as ASCII, use
base64 encoding, not URL encoding. It's a lot more space-efficient.
(Although you wrote to me privately, I'm replying to the list because
that's where this thread began.)
Ted Behling, Web Application Developer
Monarch Information Systems, Inc.