[AppDb] Comments handling cleanup

Tony Lambregts tony.lambregts at gmail.com
Sun Jun 25 11:59:17 CDT 2006


Jonathan Ernst wrote:
> Hi,
> 
> I followed your discussions about sql/html injection and had a look at
> what you are doing in order to fix the situation and I don't want to
> offense anybody but I feel that what you are trying to do is a bit hacky
> ;-).
> 
> Here is a cleaned up version of the comments handling that better fixes
> (imho) all problems related to sql and html injection.
> 
> The code I made is not dependent on magic_quote value and should'nt
> allow anybody to mess with the values read or written from/to the
> database. Also it doesn't require to make copies of every single string the user
> passes to us.
> 
> It is based on php manual's best practices for avoiding injection.
> 
> I'd be very glad if we'll use such mechanism for the rest of the
> queries and get rid of compile_whatever, makeSafe & co.
> 
> This patch follows the Coding Standards we set up a little bit more as
> well.
> 
> Awaiting your comments.

I am more in favor of this approach than using makeSafe() and do the same thing 
as Chris's query_parameters() patch. However I am hard pressed to say whether 
this method is really better or safer than query_parameters().

I have had real issues with makeSafe() the primary one is that IMO the place to 
make sure that we are safe from sql injection is where we create the SQL. The 
makeSafe() did not do that.

The changes to that are only cosmetic and make it harder to see the actual 
changes. Formating changes should be in a separate patch.

Also I would really appreciate a "Files Changed:" section that lists the files 
changed/added/removed by this patch. I find that it really helps in reviewing 
patches.

Please resubmit with the formating changes in a separate patch.

--

Tony Lambregts



More information about the wine-devel mailing list