[AppDb] [2/3] safe functions

[Jonathan Ernst]

Le dimanche 25 juin 2006 à 20:00 -0400, Chris Morgan a écrit :
> Hi Jonathan.
> 
> You'll want to talk to EA about the filtering changes.  The plan is to
> filter using the same syntax and flags that the php filter extension
> is going to use so we can easily switch over to this extension in the
> future.

I know we could use PEAR and we could also use a database abstraction
layer, I just thought my solution was better because it has proven to
work well on several projects I worked recently and is recommanded by
the php manual (and it makes queries more readable than using other
syntaxes).

> 
> Also, I've submitted a patch for review to appdb at winehq.com and
> wine-patches at winehq.com that removes all of our get_magic_quotes_gpc()
> use and adds a check in include/incl.php that warns and prevents appdb
> from running if magic quotes is enabled.  So you shouldn't need to
> have any get_magic_quotes_gpc() checks anymore.

Isn't it better to support both configurations ? My solution works with
or without magic quotes.

> 
> I also noticed your quote_smart_sql() call.  This call isn't used
> anywhere, we shouldn't add calls to functions that aren't called.  We

It is used in 3/3.

> also already have a function that will make sql calls safe called
> query_paramters() in include/db.php.  Also, do we want to strip tags
> from sql?  Won't that remove all tags from things like app/version
> descriptions, comments and notes?

No, there is a parameter in this function (quote_smart_sql). By default
we don't remove html, but for some fields we might want to filter out
html (comment titles, etc.)


Thanks.

Jonathan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://www.winehq.org/pipermail/wine-devel/attachments/20060626/112d35d4/attachment.pgp