Re: [Phpsurveyor-developers] RE : Escaping _POST and _GETfor DB processingin the SVN tree
The leading Open Source survey tool
Brought to you by:
c_schmitz
Menu
▾
▴
Re: [Phpsurveyor-developers] RE : Escaping _POST and _GETfor DB processingin the SVN tree
|
From: Carsten S. <car...@gm...> - 2007-02-11 12:42:22
|
Hello Thibault,
Sorry for taking some time to answer...
Please create a db_quote function and change the sanitize_sql calls to
that new function.
Thank you for your help!
Carsten
Thibault Le Meur wrote:
> No one wants to comment on this subject ?
>
>
>> -----Message d'origine-----
>> De : php...@li...
>> [mailto:php...@li...]
>> De la part de Thibault Le Meur
>> Envoyé : jeudi 8 février 2007 18:34
>> À : php...@li...
>> Objet : [Phpsurveyor-developers] Escaping _POST and _GETfor
>> DB processingin the SVN tree
>>
>>
>> Hi again,
>>
>> I've found another bug caused by a lack of _POST variable
>> escaping in labels.php line 513:
>> $query = "INSERT INTO ".db_table_name('labels'). "
>> (lid, code, title,
>> sortorder,language) VALUES ($lid, '{$_POST['insertc ode']}',
>> '{$_POST['inserttitle_'.$lslanguage]}',
>> '$newsortorder','$lslan guage')";
>>
>> This prevent the definition of labels with simple quotes.
>>
>> I could easily patch this by using
>> _one_of_the_two_remaining_escape_methods
>> used in the PHPSV code (I hope there are no more than 2
>> remaining ;-) ) by
>> either:
>> * define a db_quote function (as it is aleady done in
>> admin/database.php and /admin/vvimport.php
>> ==> shouldn't we use a single definition of this function
>> in common.php ?
>> * or use the sanitize_sql_string (already used in
>> ./admin/labels.php, ./admin/tokens.php,
>> ./admin/assessments.php, ./save.php) and defined in
>> ./classes/core/sanitize.php
>> ==> Though this function is more used inthe phpsv code it
>> seems not to be database independent
>>
>> I think the best solution should be either:
>> * to use only the db_quote function (and defining it in common.php or
>> sanitize.php)
>> * OR to use only a NEW sanitize_sql_string function that
>> would use the adodb escaping function (as does db_quote).
>>
>> What do you think ?
>>
>> Regards,
>> Thibault
>>
>>
>>
>>
>>
>>
>> --------------------------------------------------------------
>> -----------
>> Using Tomcat but need to do more? Need to support web
>> services, security? Get stuff done quickly with
>> pre-integrated technology to make your job easier. Download
>> IBM WebSphere Application Server v.1.0.1 based on Apache
>> Geronimo
>> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&
>>
> dat=121642
> _______________________________________________
> PHPSurveyor-Developers mailing list
> PHP...@li...
> https://lists.sourceforge.net/lists/listinfo/phpsurveyor-developers
>
>
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier.
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> PHPSurveyor-Developers mailing list
> PHP...@li...
> https://lists.sourceforge.net/lists/listinfo/phpsurveyor-developers
>
>
|