The makeSafe() changes for filtering data and the query_parameters() changes for sql injection parameters are related but independent changes.

It seems like query_parameters() is a better fix than putting inline sprintf()s and quote_safe_sql() calls. query_parameters() encapsulates the calls to whatever 'escape' function that we choose. query_parameters() also uses the syntax that pear db uses for place holders, ?, ~ and &.

Chris

On 6/25/06, Jonathan Ernst jonathan@ernstfamily.ch wrote:

Hi,

Here is a cleaned up version of the comments handling that better fixes (imho) all problems related to sql and html injection (it requires the previous patches to be applied).

It is based on php manual's best practices for avoiding injection.

I'd be very glad if we'll use such mechanism for the rest of the queries and get rid of compile_whatever, makeSafe & co.

Changelog:

• avoid sql/html injection in the comments

Files changed:

• addcomment.php
• deletecomment.php
• include/comment.php

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQBEnt7XIW5mR/h6b38RAqtqAKCw7qX+8JTVDI0VvvHSfZTbeGYJOQCglZtg gRVPintjJeZ1yhupSF5V+RE= =6bPd -----END PGP SIGNATURE-----