At 10:09 PM 6/19/2002, Steven J. Sobol wrote:
>On Wed, 19 Jun 2002, Ted Behling wrote:
> > >Yeahbut, lots of % in your SQL query can actually be more dangerous....
> >
> > Not if you don't use the LIKE operator.
>
>And what if you end up in a situation where you need to?

Then you would escape your percent-signs, although this defeats the purpose
of the original questioner's URL-encoding: to avoid escaping quotes.

As an aside, I think URL encoding data to avoid SQL-injection attacks is
ridiculous. I've never found a good reason to URL encode data other than
using the data in a URL. If you need to write binary data as ASCII, use
base64 encoding, not URL encoding. It's a lot more space-efficient.

(Although you wrote to me privately, I'm replying to the list because
that's where this thread began.)

Ted Behling, Web Application Developer
Monarch Information Systems, Inc.
tbehlingmonarchis.net

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]