[vlc-devel] [PATCH] Prepared statements for SQL
jpd at videolan.org
jpd at videolan.org
Wed Oct 21 15:48:19 CEST 2009
On Wed, Oct 21, 2009 at 03:18:33PM +0200, Laurent Aimar wrote:
> On Wed, Oct 21, 2009, jpd at videolan.org wrote:
> > > I don't understand what i_length is. If it is strlen(psz_fmt), then
> > > it is useless, otherwise a more explicit documentation is needed.
> >
> > The sql functions likely take a non-zero-terminated string, making
> > psz_fmt a bit of a misnomer. This also needs documenting, of course.
>
> I would then really prefer it to be 0 terminated if possible and to
> remove the length parameter.
That means the module now must call strlen() instead of the original
caller (who may already know this), because if it is as I suspect then
the underlying library will want a char */size_t pair anyway. The int
should really be unsigned, ideally a size_t, though.
> Is '\0' a valid char inside a SQL request?
Probably not, but I would not rely on it. The point is to move from
in-band signalling to out-of-band signalling, because the former is what
allows SQL injection and related attacks in the first place.
More information about the vlc-devel
mailing list