[AppDb] [2/3] safe functions
chmorgan at gmail.com
Sun Jun 25 19:00:39 CDT 2006
You'll want to talk to EA about the filtering changes. The plan is to
filter using the same syntax and flags that the php filter extension
is going to use so we can easily switch over to this extension in the
Also, I've submitted a patch for review to appdb at winehq.com and
wine-patches at winehq.com that removes all of our get_magic_quotes_gpc()
use and adds a check in include/incl.php that warns and prevents appdb
from running if magic quotes is enabled. So you shouldn't need to
have any get_magic_quotes_gpc() checks anymore.
I also noticed your quote_smart_sql() call. This call isn't used
anywhere, we shouldn't add calls to functions that aren't called. We
also already have a function that will make sql calls safe called
query_paramters() in include/db.php. Also, do we want to strip tags
from sql? Won't that remove all tags from things like app/version
descriptions, comments and notes?
On 6/25/06, Jonathan Ernst <jonathan at ernstfamily.ch> wrote:
> The code I made is not dependent on magic_quote value and shouldn't
> allow anybody to mess with the values read or written from/to the
> database. Also it doesn't require to make copies of every single string the user
> passes to us.
> It is based on php manual's best practices for avoiding injection.
> I'd be very glad if we'll use such mechanism for the rest of the
> queries and get rid of compile_whatever, makeSafe & co.
> - functions to avoid sql/html injection without having issues with addslashes/magic_quotes_gpc
> Files changed:
> - include/util.php
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v126.96.36.199 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the wine-devel