set_quote_sql_str

The `set_quote_sql_str` directive quotes special characters in a string to safely use it in SQL queries.

Syntaxset_quote_sql_str var | var var;
Defaultnone
Contexthttp, server, location, if in server, if in location
Arguments1-2

Description

The set_quote_sql_str directive is part of the NGINX Set-Misc module and is utilized to prevent SQL injection by escaping user-generated strings that may contain special characters. This directive takes one or two arguments: the name of the variable to quote, and optionally, the input variable itself if an in-place edit is preferred. When this directive is applied, it adds necessary escape characters, such as backslashes and single quotes, to the variable's content to ensure that it can be safely embedded within SQL statements without altering their semantics or functionality.

In most cases, it is sufficient to specify a single variable as an argument. The directive processes the assigned string, looking for characters that need quoting for safe SQL operation. The result is then stored back into the specified variable. If the second argument is omitted, the directive modifies the original variable in-place. This can be particularly useful when holding complex values or when aiming to minimize memory usage by avoiding additional variable allocations.

Config Example

location /bar {
    set $foo "hello\n\n'\"\\";
    set_quote_sql_str $foo;
    # Now $foo is: 'hello\n\n\'\"\\'
}

Ensure that the variable contains a string value before invoking this directive; otherwise, the results may not be as expected.

Avoid using the directive on a variable that already contains SQL injection vulnerabilities; sanitize inputs prior to quoting.

← Back to all directives