Hi Jonathan.
You'll want to talk to EA about the filtering changes. The plan is to filter using the same syntax and flags that the php filter extension is going to use so we can easily switch over to this extension in the future.
Also, I've submitted a patch for review to appdb@winehq.com and wine-patches@winehq.com that removes all of our get_magic_quotes_gpc() use and adds a check in include/incl.php that warns and prevents appdb from running if magic quotes is enabled. So you shouldn't need to have any get_magic_quotes_gpc() checks anymore.
I also noticed your quote_smart_sql() call. This call isn't used anywhere, we shouldn't add calls to functions that aren't called. We also already have a function that will make sql calls safe called query_paramters() in include/db.php. Also, do we want to strip tags from sql? Won't that remove all tags from things like app/version descriptions, comments and notes?
Chris
On 6/25/06, Jonathan Ernst jonathan@ernstfamily.ch wrote:
Hi,
The code I made is not dependent on magic_quote value and shouldn't allow anybody to mess with the values read or written from/to the database. Also it doesn't require to make copies of every single string the user passes to us.
It is based on php manual's best practices for avoiding injection.
I'd be very glad if we'll use such mechanism for the rest of the queries and get rid of compile_whatever, makeSafe & co.
Changelog:
- functions to avoid sql/html injection without having issues with addslashes/magic_quotes_gpc
Files changed:
- include/util.php
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQBEnt7SIW5mR/h6b38RAii/AKCB26o0DAM978gQz8baVz6VuubW3ACgqBoJ Or4cDg49YqCUD3dughsW1oY= =keDV -----END PGP SIGNATURE-----