[OSM-dev] Inserting with planet-to-db [offender]
openstreetmap at gagravarr.org
Sun Oct 21 17:48:09 BST 2007
On Sun, 21 Oct 2007, Martijn van Oosterhout wrote:
>> So my guess is the insert script should do something like html entities
>> to ascii?
Possibly, depends if you're going to want to get data back out for use in
xml/html again or not...
If someone could suggest a perl library that'll decode html entities into
ascii characters, then we could add in an option to do that. That way
people can choose
> The insert script should be using placeholders to avoid SQL injection
> attacks... Or at the very least proper escaping.
It already uses prepared statements for everything, so I'm not sure where
the problem's coming from (it should already be fine on the sql injection
front, assuming the database actually supports prepared statements and
parameters properly, which postgres/mysql certainly do)
More information about the dev