[AppDb] [2/3] safe functions
jonathan at ernstfamily.ch
Mon Jun 26 00:50:49 CDT 2006
Le dimanche 25 juin 2006 à 20:00 -0400, Chris Morgan a écrit :
> Hi Jonathan.
> You'll want to talk to EA about the filtering changes. The plan is to
> filter using the same syntax and flags that the php filter extension
> is going to use so we can easily switch over to this extension in the
I know we could use PEAR and we could also use a database abstraction
layer, I just thought my solution was better because it has proven to
work well on several projects I worked recently and is recommanded by
the php manual (and it makes queries more readable than using other
> Also, I've submitted a patch for review to appdb at winehq.com and
> wine-patches at winehq.com that removes all of our get_magic_quotes_gpc()
> use and adds a check in include/incl.php that warns and prevents appdb
> from running if magic quotes is enabled. So you shouldn't need to
> have any get_magic_quotes_gpc() checks anymore.
Isn't it better to support both configurations ? My solution works with
or without magic quotes.
> I also noticed your quote_smart_sql() call. This call isn't used
> anywhere, we shouldn't add calls to functions that aren't called. We
It is used in 3/3.
> also already have a function that will make sql calls safe called
> query_paramters() in include/db.php. Also, do we want to strip tags
> from sql? Won't that remove all tags from things like app/version
> descriptions, comments and notes?
No, there is a parameter in this function (quote_smart_sql). By default
we don't remove html, but for some fields we might want to filter out
html (comment titles, etc.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 191 bytes
Desc: Ceci est une partie de message
Url : http://www.winehq.org/pipermail/wine-devel/attachments/20060626/112d35d4/attachment.pgp
More information about the wine-devel