[OSM-dev] Inserting with planet-to-db [offender]

Nick Burch openstreetmap at gagravarr.org
Sun Oct 21 17:48:09 BST 2007


On Sun, 21 Oct 2007, Martijn van Oosterhout wrote:
>> So my guess is the insert script should do something like html entities
>> to ascii?

Possibly, depends if you're going to want to get data back out for use in 
xml/html again or not...

If someone could suggest a perl library that'll decode html entities into 
ascii characters, then we could add in an option to do that. That way 
people can choose

> The insert script should be using placeholders to avoid SQL injection 
> attacks... Or at the very least proper escaping.

It already uses prepared statements for everything, so I'm not sure where 
the problem's coming from (it should already be fine on the sql injection 
front, assuming the database actually supports prepared statements and 
parameters properly, which postgres/mysql certainly do)

Nick




More information about the dev mailing list