Hi,
The recent changes you made have resulted in a regression at least in
the note edition.
\'s and ''s are too much addslashized again. I remember having fixed
this some time ago...
Thanks.
Jonathan
signature.asc
Description: Ceci est une partie de message numériquement signée
Tobias Burnus wrote:
Why don't you use mysql_escape_string(...)?
http://de.php.net/manual/en/function.mysql-escape-string.php
Why not just use PEAR::DB as recommended in the book "Essential PHP
Security", as it handles multiple SQL interfaces and escapes the data
automatically for you, app
Tobias Burnus wrote:
Why don't you use mysql_escape_string(...)?
http://de.php.net/manual/en/function.mysql-escape-string.php
Tobias
The page says it's deprecated and mentions using
mysql_real_escape_string instead
(http://nl2.php.net/mysql_real_escape_string)
HTH,
Joris
Hi,
Jonathan Ernst schrieb:
> Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit :
>> Can you come up with a non-destructive working example for the appdb
>> website(appdb.winehq.org)? ;-)
>>
>> I ask because I thought we went through this some time ago but I agree that
>> what you say lo
On Thu, Jun 08, 2006 at 06:44:15PM -0500, EA Durbin wrote:
> function makeSafe( $var )
> {
>$var = trim( addslashes( $var ) );
>return $var;
> }
>
>
> $clean['var1'] = makeSafe( $_REQUEST['var1'] );
> $clean['var2'] = makeSafe( $_REQUEST['var2'] );
sorry for only throwing things at you
Is there a reason why we don't do the if(empty()) check inside of
makeSafe()?
as in put the if(empty()) inside of the function itself, or pass if( empty
(makeSafe( $_REQUEST['appId'] ) ) ) when we assign it?
the reason I didn't put it in the makeSafe function was because we were
testing to s
bin <[EMAIL PROTECTED]>
Subject: Re: appdb security
Date: Thu, 8 Jun 2006 16:40:55 -0400
Alright. I'm sold on having to check all user input. We should make this
input checking change across the board if you are up for it.
$clean = array(); //array of filtered user input
+
+$clean['
ltered input. If all filtered variables are put in an array it makes it
> easier to ensure you're using the non tainted variable.
>
> http://phpsec.org/projects/guide/1.html#1.4
>
> Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL
> filtering.
>
> >
c.org/projects/guide/1.html#1.4
Then PEAR::DB to query the mysql database as PEAR::DB handles the SQL
filtering.
From: Jonathan Ernst <[EMAIL PROTECTED]>
To: wine-devel@winehq.com
Subject: Re: appdb security
Date: Thu, 08 Jun 2006 18:12:20 +0200
Le jeudi 08 juin 2006 Ã 11:42 -0400, Chris
Le jeudi 08 juin 2006 à 11:42 -0400, Chris Morgan a écrit :
> Can you come up with a non-destructive working example for the appdb
> website(appdb.winehq.org)? ;-)
>
> I ask because I thought we went through this some time ago but I agree that
> what you say looks like an open issue.
>
> Chris
On Thu, Jun 08, 2006 at 11:42:09AM -0400, Chris Morgan wrote:
> Can you come up with a non-destructive working example for the appdb
> website(appdb.winehq.org)? ;-)
no ;P
> I ask because I thought we went through this some time ago but I agree
> that what you say looks like an open issue.
if
Can you come up with a non-destructive working example for the appdb
website(appdb.winehq.org)? ;-)
I ask because I thought we went through this some time ago but I agree that
what you say looks like an open issue.
Chris
On Thursday 08 June 2006 11:35 am, Christoph Frick wrote:
> On Thu, Jun
On Thu, Jun 08, 2006 at 11:25:08AM -0400, Chris Morgan wrote:
> $sQuery = "Select versionId from appVersion where
> appId='"$_REQUEST['appId']."';";
>
> Who's '' around $_REQUEST should prevent the string from being interpreted as
> anything but a single value passed as the value of appId.
wit
13 matches
Mail list logo