cancel
Showing results for 
Search instead for 
Did you mean: 

SQL AnyWhere 17.0.10: Convert strings with a specific value

2,048

Hi All,

In my program, the user has the ability to enter a password for himself. And one of the users had problems during this procedure. It turned out that he was entering the password "k\\xE08"

GRANT CONNECT TO "user1" IDENTIFIED BY 'k\\xE08'

and when this password was stored in the database, it turned into the string "ka8". The reason for this is understandable to me in principle - SAW considers "\\xE0" the code of the letter "a".

Question: Is there any way around this transformation ?

Accepted Solutions (0)

Answers (1)

Answers (1)

johnsmirnios
Employee
Employee

The password is a SQL string and hence the \\xE0 portion is interpreted as an escape sequence. Likely your database charset is windows-1252 in which case character E0 is a-grave.

The question is, what did you want to have happen? If you wanted the password to be literally the six-character sequence k\\xE08 then you haven't properly sanitized your inputs and your application is vulnerable to SQL-injection attacks.

To fix it, sanitize your inputs by disallowing problematic characters, properly escaping problematic characters or using a host variable.