[AppDb] [3/3] Comments handling cleanup
Chris Morgan
chmorgan at gmail.com
Sun Jun 25 19:22:19 CDT 2006
The makeSafe() changes for filtering data and the query_parameters()
changes for sql injection parameters are related but independent
changes.
It seems like query_parameters() is a better fix than putting inline
sprintf()s and quote_safe_sql() calls. query_parameters()
encapsulates the calls to whatever 'escape' function that we choose.
query_parameters() also uses the syntax that pear db uses for place
holders, ?, ~ and &.
Chris
On 6/25/06, Jonathan Ernst <jonathan at ernstfamily.ch> wrote:
> Hi,
>
> Here is a cleaned up version of the comments handling that better fixes
> (imho) all problems related to sql and html injection (it requires the previous patches to be applied).
>
> It is based on php manual's best practices for avoiding injection.
>
> I'd be very glad if we'll use such mechanism for the rest of the
> queries and get rid of compile_whatever, makeSafe & co.
>
> Changelog:
> - avoid sql/html injection in the comments
>
> Files changed:
> - addcomment.php
> - deletecomment.php
> - include/comment.php
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iD8DBQBEnt7XIW5mR/h6b38RAqtqAKCw7qX+8JTVDI0VvvHSfZTbeGYJOQCglZtg
> gRVPintjJeZ1yhupSF5V+RE=
> =6bPd
> -----END PGP SIGNATURE-----
>
>
>
>
>
>
>
More information about the wine-devel
mailing list