[AppDB] Make screen shots safe from SQL injection

[Chris Morgan]

> > As we've discussed before I'd rather we did a single full pass of manual
> > testing than several full passes.  It saves us time in that we don't have
> > to test the same things repeatedly like we would have to do when making
> > changes to things like classes that are used all over the code.
>
> Your logic is flawed and only applies if the patch has no bugs. By breaking
> up the patch into smaller pieces you save time in testing when there are
> problems.
>

When were you going to report the issue with query_parameters() that I found 
the other day and sent in a unit test and patch for? Why do projects like 
Wine have automated tests instead of manual ones? I think we want to mirror 
successful projects like this by automating our testing.  Manual testing may 
catch some bugs but it is always going to be more time consuming and less 
reproducable.

As I've said before, manual testing is ok but isn't likely to be as good as 
automated testing.  That function is used in all sql calls.  Modifying it 
should mean that we have to check EVERY sql call in the appdb.


> > In any case I'm implementing unit tests for nearly every bug I find.  I
> > haven't thought of a good way to unit test page actions yet though.
>
> I have no answer for that.
>

The trick is getting the parameters into $_REQUEST variables.  I think we'll 
have to build up a <input> form in the test and then submit it as if the user 
clicked on 'submit'.  That might require duplication of code how we currently 
have some of those pages designed but we may be able to refactor them into 
classes so we can reduce the duplication.

Chris