From: Jeroen L. <jl...@ca...> - 2002-08-18 09:35:44
|
At 02:14 18-8-2002 -0700, you wrote: >Jeroen Latour wrote: >>At 01:54 18-8-2002 -0700, you wrote: >>Hi, just wanted to bring this up again so I can finish of the changes to >>the bugnote_* pages. >> >>>As it is, it doesn't make sense to call string_prepare_text() in either >>>the API function or the main page. >>> >>>My proposal is that the pages should make sure that variables are of the >>>right type and contain all the right content (and none of the wrong >>>content) before calling API functions. API functions should assume the >>>data is correct but escape it as necessary to make sure that it can be >>>safely inserted into the DB. >>> >>>These tasks used to be able to be combined because all the SQL queries >>>were in the pages but as this changes this problem will become worse. >>>The API functions can't know how to filter or convert the data because >>>they don't know where the data came from. They do however need to >>>protect the database inserts. >>> >>>The solution is simply to remove the addslashes() call from >>>string_prepare_text() and put it in the API call where it is needed. The >>>rest of string_prepare_text() can remain the same and continue to be >>>called from the web pages. Pages that haven't had their SQL queries >>>removed yet would have to have addslashes() calls added for the moment. >> >>Sounds good. Are you going to implement it? > >If people are in favour of it I'll have a go... probably tomorrow or the >next day (not staying up so late tonight :) > >Would people prefer a sweeping change or commits one chunk at a time? >(honestly I'm not even sure how widespread the problem is... I've left >comments marked in about 5 places in the bugnote_* pages where I need to >address the problem) Well, if you are going to remove the addslashes call from string_prepare_text, that would mean that a lot won't work until you add it back, and a lot is insecure. So one commit would seem best. Jeroen |