[AppDB] - protect sql insert statements from injection attacks
Chris Morgan
cmorgan at alum.wpi.edu
Thu Jun 22 15:08:53 CDT 2006
Change compile_insert_string() to compile_insert_array() and add a new first
parameter of $sTable that represents the table you are building the insert
statement for. The output of compile_insert_array() is passed to
query_insert() to perform the insertion. Change all existing calls of
compile_insert_string() to compile_insert_array() and specify the table as
the first parameter. Make all instances of sql inserts that didn't use
compile_insert_string() use compile_insert_array().
The use of mysql_real_escape_string() inside of compile_insert_array()
protects the insert statement from sql injection attacks.
Chris
-------------- next part --------------
A non-text attachment was scrubbed...
Name: compile_insert_array.patch
Type: text/x-diff
Size: 32284 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-patches/attachments/20060622/4da271d9/compile_insert_array-0001.patch
More information about the wine-patches
mailing list