[AppDB] - protect against sql injection in select, update and
tony.lambregts at gmail.com
Sun Jun 25 16:37:23 CDT 2006
Chris Morgan wrote:
> Protect against sql injection attacks in select, update and delete statements
> by using query_parameters(). mysql_real_escape_string() is used on variables
> in cases where using query_parameters() isn't possible due to the complexity
> of the query. These could potentially be simplified so query_parameters()
> could be used.
This patch is quite large and it breaks moving an test results to an
I had spent a fair amount of time testing this before I found this bug
and I think that most of it may be OK but as they say "one drop of crap
in a gallon of wine..."
Can you submit some smaller chunks of this so that I can test them and
we get them in. We already have query_parameters() in the code base so
the simple stuff like addcomment.php is probably good to go. If you
could submit a patch for just those I would appreciate it.
More information about the wine-patches