1 Topic by pgregg (edited by pgregg 2004-05-18 09:20)

  • Registered: 2004-05-15
  • Posts: 38

Topic: Replace addslashes() calls throughout the code

I came across this when I found PunPoll doesn't check what it is entering into the database [Security alert!!!], so looked at the punbb code to see if you had a standard way of doing it...  So before getting chacmool to fix punpoll it would be better to have a db independent method for him (and other mod devs) to use.

I would suggest adding a db_quote() function to common/db_layer.php which contains a switch on $db_type and returns the argument properly quoted for the database type.  [Edit: or a db_quote() placed into the include/dblayer/dbname.php per database include]

addslashes() will only go so far - and will definately not work for DBs such as Oracle and sqlite (which I believe you are adding).

mysql: mysql_escape_string ()
pgsql: pg_escape_string()
sqlite: sqlite_escape_string()

Thoughts?

pgregg's Website

  • From: 127.0.0.1
  • Registered: 2001-11-02
  • Posts: 9,167

Re: Replace addslashes() calls throughout the code

It's in 1.2 already :)

"Programming is like sex: one mistake and you have to support it for the rest of your life."

Rickard's Website

  • Registered: 2004-05-15
  • Posts: 38

Re: Replace addslashes() calls throughout the code

nice smile

pgregg's Website