Menu
▾
▴
#7 SQL insertion problems
This patch against 0.4.0 changes the way that SQL
queries are constructed in order to make them handle
random data consistently, correctly and securely. The
old code inserted unchecked values directly into SQL
queries. This code checks and/or quotes all
user-supplied values going into the queries. I've also
taken the liberty of adding a convenience function to
the Query class that encapsulates some common
housekeeping that all the Query subclasses do. In
addition, I fixed a few places where comments did not
agree with the code. There are more of these to be
fixed, I only changed the ones that stood out to me as
I was fixing the SQL stuff.
One problem with this patch is that it makes an
implicit assumption that the magic_quotes_gpc setting
is turned off. There are a few (not all) parts of
OpenBiblio that assume that it is turned on, so
whatever it's set to, either with or without this
patch, you won't get completely consistent behavior.
If you use this patch, though, I recommend turning
magic_quotes_gpc off. I am working on a patch to make
the program completely independent of the magic_quotes
setting, but it is not yet complete.
I have done some testing on this patch, and most of the
code in it has been in production use for a couple of
months. But there are parts of the program I seldom
use right now (mainly circulation and reports), so you
may wish to test things thoroughly.
BTW, after applying this patch, the code will be about
600 lines shorter than as released. This is due to the
convenience function I added in the Query class.
Micah
Logged In: YES
user_id=911235
Oops. There's a problem in the patch.
classes/BiblioCopyQuery.php had a call to
$this->_conn->_query which doesn't exist. It should be just
$this->_query. I'm attaching a fixed version of the patch.
I really need to finish my OpenBiblio test framework. This
could have been avoided.
Sorry,
Micah
Updated patch against 0.4.0
Logged In: YES
user_id=911235
Applied in CVS.
Micah