[AppDB] - protect against sql injection in select, update and delete statements

Tony Lambregts tony.lambregts at gmail.com
Sun Jun 25 16:37:23 CDT 2006

Chris Morgan wrote:
> Protect against sql injection attacks in select, update and delete statements 
> by using query_parameters().  mysql_real_escape_string() is used on variables 
> in cases where using query_parameters() isn't possible due to the complexity 
> of the query. These could potentially be simplified so query_parameters() 
> could be used.
This patch is quite large  and it breaks moving an test results to an 
existing version.

I had spent a fair amount of time testing this before I found this bug 
and I think that most of it may be OK but  as they say "one drop of crap 
in a gallon of wine..."

Can you  submit some smaller chunks of this so that I can test them and 
we get them in.  We already have query_parameters()  in the code base so 
the simple stuff like addcomment.php is probably good to go. If you 
could submit a patch for just those I would appreciate it.


Tony Lambregts

More information about the wine-patches mailing list