Lasso Soft Inc. > Home


AuthorJohan Solve
LicensePublic Domain
Posted25 Sep 2008
Updated25 Sep 2008
More by this author...


Backticks need to be filtered from user input to prevent SQL injection for example where sortfields can be specified dynamically in a URL.

This tag strips them in the same way as Lasso inlines does it, where everything from a backtick and onward will be dropped.

1. ALWAYS use backticks around MySQL table names and field names (i.e. object names) where they will be dynamically specified in an sql string.

2. Strip backticks from user input that will be used as MySQL object names.

3. Most important: Validate and sanitize all user input! All client input should be considered hostile until proven otherwise.

Sample Usage

-sql='SELECT * FROM mytable ORDER BY `' 
    + stripbackticks(action_param('sortfield')) + '`'

Source Code

Click the "Download" button below to retrieve a copy of this tag, including the complete documentation and sample usage shown on this page. Place the downloaded ".inc" file in your LassoStartup folder, restart Lasso, and you can begin using this tag immediately.

define_tag('stripbackticks', -description='Removes backticks (`) from a
string to make it safe for MySQL object names',
       #output = #output -> split('`') -> first;


No comments

Please log in to comment

Subscribe to the LassoTalk mail list

LassoSoft Inc. > Home



©LassoSoft Inc 2015 | Web Development by Treefrog Inc | PrivacyLegal terms and Shipping | Contact LassoSoft