[stripbackticks] at tagSwap.net: Open Source Lasso Code

[stripbackticks]

Description

Link: [stripbackticks]

Author: Johan Sölve

Category: String

Version: 8.x

License: Public Domain

Posted: Sep. 25, 2008

Updated: Sep. 25, 2008

More by this author...

Backticks need to be filtered from user input to prevent SQL injection for example where sortfields can be specified dynamically in a URL.

This tag strips them in the same way as Lasso inlines does it, where everything from a backtick and onward will be dropped.

1. ALWAYS use backticks around MySQL table names and field names (i.e. object names) where they will be dynamically specified in an sql string.

2. Strip backticks from user input that will be used as MySQL object names.

3. Most important: Validate and sanitize all user input! All client input should be considered hostile until proven otherwise.

Parameters

-input

string, required

Sample Usage

-sql='SELECT * FROM mytable ORDER BY `' 
    + stripbackticks(action_param('sortfield')) + '`'

Source Code

Click the "Download" button below to retrieve a copy of this tag, including the complete documentation and sample usage shown on this page. Place the downloaded ".inc" file in your LassoStartup folder, restart Lasso, and you can begin using this tag immediately.

1
2
3
4
5
6
7
8
9
10

define_tag('stripbackticks', -description='Removes backticks (`) from a
string to make it safe for MySQL object names',
       -priority='replace',
       -required='input');
       local('output'=string(#input));
       #output = #output -> split('`') -> first;
       return(@#output);
/define_tag;

Comments

none