[AppDb] [3/3] Comments handling cleanup
chmorgan at gmail.com
Sun Jun 25 19:22:19 CDT 2006
The makeSafe() changes for filtering data and the query_parameters()
changes for sql injection parameters are related but independent
It seems like query_parameters() is a better fix than putting inline
sprintf()s and quote_safe_sql() calls. query_parameters()
encapsulates the calls to whatever 'escape' function that we choose.
query_parameters() also uses the syntax that pear db uses for place
holders, ?, ~ and &.
On 6/25/06, Jonathan Ernst <jonathan at ernstfamily.ch> wrote:
> Here is a cleaned up version of the comments handling that better fixes
> (imho) all problems related to sql and html injection (it requires the previous patches to be applied).
> It is based on php manual's best practices for avoiding injection.
> I'd be very glad if we'll use such mechanism for the rest of the
> queries and get rid of compile_whatever, makeSafe & co.
> - avoid sql/html injection in the comments
> Files changed:
> - addcomment.php
> - deletecomment.php
> - include/comment.php
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v126.96.36.199 (GNU/Linux)
> -----END PGP SIGNATURE-----
More information about the wine-devel