[vlc-devel] [PATCH] Prepared statements for SQL

jpd at videolan.org jpd at videolan.org
Wed Oct 21 15:48:19 CEST 2009

On Wed, Oct 21, 2009 at 03:18:33PM +0200, Laurent Aimar wrote:
> On Wed, Oct 21, 2009, jpd at videolan.org wrote:
> > >  I don't understand what i_length is. If it is strlen(psz_fmt), then
> > > it is useless, otherwise a more explicit documentation is needed.
> > 
> > The sql functions likely take a non-zero-terminated string, making
> > psz_fmt a bit of a misnomer. This also needs documenting, of course.
>  I would then really prefer it to be 0 terminated if possible and to
> remove the length parameter.

That means the module now must call strlen() instead of the original
caller (who may already know this), because if it is as I suspect then
the underlying library will want a char */size_t pair anyway. The int
should really be unsigned, ideally a size_t, though.

> Is '\0' a valid char inside a SQL request?

Probably not, but I would not rely on it. The point is to move from
in-band signalling to out-of-band signalling, because the former is what
allows SQL injection and related attacks in the first place.

More information about the vlc-devel mailing list