On Wed, Dec 24, 2008 at 2:19 PM, Daniel Friesen <dan_the_man(a)telus.net> wrote:
Agh noooo.... don't base ideas of that crap coded
system!
Last time I checked, phpBB was still using raw SQL statements, and
instead of properly escaping with a clean system like MediaWiki
currently is, they used a method for getting request values which would
typecast the value into the same type as the default value. Agh, to be
quite honest, the fact that they don't even bother escaping, and only on
typecasting most of the input into numbers, is probably the reason why
phpBB ends up with so many security issues.
I just looked, and you're right, they seem to rely on things like this
for multi-DB support:
/**
* Oracle specific code to handle it's lack of sanity
* @access private
*/
function _rewrite_where($where_clause)
{
preg_match_all('/\s*(AND|OR)?\s*([\w_.]++)\s*(?:(=|<[=>]?|>=?)\s*((?>\'(?>[^\']++|\'\')*+\'|[\d-.]+))|((NOT
)?IN\s*\((?>\'(?>[^\']++|\'\')*+\',? ?|[\d-.]+,?
?)*+\)))/',
$where_clause, $result, PREG_SET_ORDER);
$out = '';
foreach ($result as $val)
Probably not a model we want to follow, although I don't think that
using raw SQL is necessarily bad in principle (using string
concatenation to include variables certainly is, though).