Re: [Phpsurveyor-developers] RE : Escaping _POST and _GETfor DB processingin the SVN tree
The leading Open Source survey tool
Brought to you by:
c_schmitz
From: Carsten S. <car...@gm...> - 2007-02-11 12:42:22
|
Hello Thibault, Sorry for taking some time to answer... Please create a db_quote function and change the sanitize_sql calls to that new function. Thank you for your help! Carsten Thibault Le Meur wrote: > No one wants to comment on this subject ? > > >> -----Message d'origine----- >> De : php...@li... >> [mailto:php...@li...] >> De la part de Thibault Le Meur >> Envoyé : jeudi 8 février 2007 18:34 >> À : php...@li... >> Objet : [Phpsurveyor-developers] Escaping _POST and _GETfor >> DB processingin the SVN tree >> >> >> Hi again, >> >> I've found another bug caused by a lack of _POST variable >> escaping in labels.php line 513: >> $query = "INSERT INTO ".db_table_name('labels'). " >> (lid, code, title, >> sortorder,language) VALUES ($lid, '{$_POST['insertc ode']}', >> '{$_POST['inserttitle_'.$lslanguage]}', >> '$newsortorder','$lslan guage')"; >> >> This prevent the definition of labels with simple quotes. >> >> I could easily patch this by using >> _one_of_the_two_remaining_escape_methods >> used in the PHPSV code (I hope there are no more than 2 >> remaining ;-) ) by >> either: >> * define a db_quote function (as it is aleady done in >> admin/database.php and /admin/vvimport.php >> ==> shouldn't we use a single definition of this function >> in common.php ? >> * or use the sanitize_sql_string (already used in >> ./admin/labels.php, ./admin/tokens.php, >> ./admin/assessments.php, ./save.php) and defined in >> ./classes/core/sanitize.php >> ==> Though this function is more used inthe phpsv code it >> seems not to be database independent >> >> I think the best solution should be either: >> * to use only the db_quote function (and defining it in common.php or >> sanitize.php) >> * OR to use only a NEW sanitize_sql_string function that >> would use the adodb escaping function (as does db_quote). >> >> What do you think ? >> >> Regards, >> Thibault >> >> >> >> >> >> >> -------------------------------------------------------------- >> ----------- >> Using Tomcat but need to do more? Need to support web >> services, security? Get stuff done quickly with >> pre-integrated technology to make your job easier. Download >> IBM WebSphere Application Server v.1.0.1 based on Apache >> Geronimo >> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057& >> > dat=121642 > _______________________________________________ > PHPSurveyor-Developers mailing list > PHP...@li... > https://lists.sourceforge.net/lists/listinfo/phpsurveyor-developers > > > > ------------------------------------------------------------------------- > Using Tomcat but need to do more? Need to support web services, security? > Get stuff done quickly with pre-integrated technology to make your job easier. > Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo > http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 > _______________________________________________ > PHPSurveyor-Developers mailing list > PHP...@li... > https://lists.sourceforge.net/lists/listinfo/phpsurveyor-developers > > |