Hi,
The recent changes you made have resulted in a regression at least in
the note edition.
\'s and ''s are too much addslashized again. I remember having fixed
this some time ago...
Thanks.
Jonathan
signature.asc
Description: Ceci est une partie de message numériquement signée
Tobias Burnus wrote:
Why don't you use mysql_escape_string(...)?
http://de.php.net/manual/en/function.mysql-escape-string.php
Why not just use PEAR::DB as recommended in the book Essential PHP
Security, as it handles multiple SQL interfaces and escapes the data
automatically for you,
On Thu, Jun 08, 2006 at 06:44:15PM -0500, EA Durbin wrote:
function makeSafe( $var )
{
$var = trim( addslashes( $var ) );
return $var;
}
$clean['var1'] = makeSafe( $_REQUEST['var1'] );
$clean['var2'] = makeSafe( $_REQUEST['var2'] );
sorry for only throwing things at you guys and
Hi,
Jonathan Ernst schrieb:
Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit :
Can you come up with a non-destructive working example for the appdb
website(appdb.winehq.org)? ;-)
I ask because I thought we went through this some time ago but I agree that
what you say looks like
Tobias Burnus wrote:
Why don't you use mysql_escape_string(...)?
http://de.php.net/manual/en/function.mysql-escape-string.php
Tobias
The page says it's deprecated and mentions using
mysql_real_escape_string instead
(http://nl2.php.net/mysql_real_escape_string)
HTH,
Joris
On Thu, Jun 08, 2006 at 11:25:08AM -0400, Chris Morgan wrote:
$sQuery = Select versionId from appVersion where
appId='$_REQUEST['appId'].';;
Who's '' around $_REQUEST should prevent the string from being interpreted as
anything but a single value passed as the value of appId.
with
Can you come up with a non-destructive working example for the appdb
website(appdb.winehq.org)? ;-)
I ask because I thought we went through this some time ago but I agree that
what you say looks like an open issue.
Chris
On Thursday 08 June 2006 11:35 am, Christoph Frick wrote:
On Thu, Jun
Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit :
Can you come up with a non-destructive working example for the appdb
website(appdb.winehq.org)? ;-)
I ask because I thought we went through this some time ago but I agree that
what you say looks like an open issue.
Chris
.
http://phpsec.org/projects/guide/1.html#1.4
Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL
filtering.
From: Jonathan Ernst [EMAIL PROTECTED]
To: wine-devel@winehq.com
Subject: Re: appdb security
Date: Thu, 08 Jun 2006 18:12:20 +0200
Le jeudi 08 juin 2006 أ 11:42
: Re: appdb security
Date: Thu, 8 Jun 2006 16:40:55 -0400
Alright. I'm sold on having to check all user input. We should make this
input checking change across the board if you are up for it.
$clean = array(); //array of filtered user input
+
+$clean['catId'] = makeSafe( $_REQUEST['catId
Is there a reason why we don't do the if(empty()) check inside of
makeSafe()?
as in put the if(empty()) inside of the function itself, or pass if( empty
(makeSafe( $_REQUEST['appId'] ) ) ) when we assign it?
the reason I didn't put it in the makeSafe function was because we were
testing to
11 matches
Mail list logo
