1 (edited by pgregg 2004-05-18 09:20)

Topic: Replace addslashes() calls throughout the code

I came across this when I found PunPoll doesn't check what it is entering into the database [Security alert!!!], so looked at the punbb code to see if you had a standard way of doing it...  So before getting chacmool to fix punpoll it would be better to have a db independent method for him (and other mod devs) to use.

I would suggest adding a db_quote() function to common/db_layer.php which contains a switch on $db_type and returns the argument properly quoted for the database type.  [Edit: or a db_quote() placed into the include/dblayer/dbname.php per database include]

addslashes() will only go so far - and will definately not work for DBs such as Oracle and sqlite (which I believe you are adding).

mysql: mysql_escape_string ()
pgsql: pg_escape_string()
sqlite: sqlite_escape_string()

Thoughts?

Re: Replace addslashes() calls throughout the code

It's in 1.2 already :)

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Re: Replace addslashes() calls throughout the code

nice smile