#6 proper filtering of apostrophes and other bad chars

[Christian Ordig]

when entering apostrophes and maybe other bad chars
(quotation marks, semi-colons?) in form fields they
should be quoted.

Not doing so results in security risks or simply not
working functions.

example: try searching for something like "Fry's Homepage"

[Leon Robichaud]

Logged In: YES
user_id=1391123

I fixed the problem on my installation by using the
mysql_real_escape_string function.

As a result, my insert statement is now
$l_strQuery = sprintf( $l_strQuery,
mysql_real_escape_string($_POST['f_bookmark_name']),
mysql_real_escape_string($_POST['f_bookmark_comment']),
$_POST['f_bookmark_url'], $_POST['f_bookmark_rating'],
$l_isPrivate );

and my update query is now
$l_strQuery = sprintf( $l_strQuery,
mysql_real_escape_string($_POST['f_bookmark_name']),
mysql_real_escape_string($_POST['f_bookmark_comment']),
$_POST['f_bookmark_url'], $_POST['f_bookmark_rating'],
$l_isPrivate, $_POST['f_bookmark_id'] );

Applying this to all sql statements dealing with the
bookmark_name and bookmark_comment fields would fix the bug.
As far as security is concerned, I will leave that to experts.

Léon

[Christian Ordig]

Logged In: YES
user_id=11664

I think escaping every string just after entering is quite error prone.
I'd suggest simply escaping in the mysql_query commands, so we don't need
to take care of escaping everywhere in the code.

I'll put this in when I've some free time. (or maybe someone else with CVS
access?)

cu.
chrordig

[Christian Ordig]

Logged In: YES
user_id=11664

the current CVS version fixes this problem for everything I tested.

Please check it.