[AppDB] - protect sql insert statements from injection attacks

Chris Morgan cmorgan at alum.wpi.edu
Thu Jun 22 15:08:53 CDT 2006

Change compile_insert_string() to compile_insert_array() and add a new first 
parameter of $sTable that represents the table you are building the insert 
statement for.  The output of compile_insert_array() is passed to 
query_insert() to perform the insertion.  Change all existing calls of 
compile_insert_string() to compile_insert_array() and specify the table as 
the first parameter.  Make all instances of sql inserts that didn't use 
compile_insert_string() use compile_insert_array().

The use of mysql_real_escape_string() inside of compile_insert_array() 
protects the insert statement from sql injection attacks.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: compile_insert_array.patch
Type: text/x-diff
Size: 32284 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-patches/attachments/20060622/4da271d9/compile_insert_array-0001.patch

More information about the wine-patches mailing list