Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit :
Can you come up with a non-destructive working example for the appdb website(appdb.winehq.org)? ;-)
I ask because I thought we went through this some time ago but I agree that what you say looks like an open issue.
Chris
Lately I used the following snippet in all my webapps to secure them against sql injection :
http://php.net/mysql_real_escape_string under "Best practice".
<?php function smart_quote($value) { // Stripslashes if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Protect it if it's not an integer if (!is_numeric($value)) { $value = "'" . mysql_real_escape_string($value) . "'"; } return $value; }
// Secure query $sQuery = sprintf("SELECT * FROM users WHERE user=%s AND password=%s", smart_quote($_POST['username']), smart_quote($_POST['password'])); mysql_query($query); ?>
I think it is better than what we have now in AppDB (didn't check it though). If nobody looks at it, I'll check the code after my master thesis (in one month).
Jonathan