appdb security
Jonathan Ernst
jonathan at ernstfamily.ch
Thu Jun 8 11:12:20 CDT 2006
Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit :
> Can you come up with a non-destructive working example for the appdb
> website(appdb.winehq.org)? ;-)
>
> I ask because I thought we went through this some time ago but I agree that
> what you say looks like an open issue.
>
> Chris
Lately I used the following snippet in all my webapps to secure them
against sql injection :
http://php.net/mysql_real_escape_string under "Best practice".
<?php
function smart_quote($value)
{
// Stripslashes
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
// Protect it if it's not an integer
if (!is_numeric($value)) {
$value = "'" . mysql_real_escape_string($value) . "'";
}
return $value;
}
// Secure query
$sQuery = sprintf("SELECT *
FROM users
WHERE user=%s AND password=%s",
smart_quote($_POST['username']),
smart_quote($_POST['password']));
mysql_query($query);
?>
I think it is better than what we have now in AppDB (didn't check it
though). If nobody looks at it, I'll check the code after my master
thesis (in one month).
Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://www.winehq.org/pipermail/wine-devel/attachments/20060608/09dad8e3/attachment-0001.pgp
More information about the wine-devel
mailing list