[Mediawiki-l] Limit editing to original author
Brion Vibber
brion at pobox.com
Wed May 3 20:59:29 UTC 2006
Christophe PROME wrote:
> $titre_page = $title->getText();
> $titre_page = str_replace(" ","_", $titre_page);
[snip]
> // --- 1ère requête : id de la page --- //
> $res1 = $dbw->query("SELECT page_id FROM $table_1 WHERE
> page_title=\"$titre_page\";");
This is an SQL injection vulnerability; unescaped user-provided text in the query.
Note that you could save yourself some trouble here by just calling
$title->getArticleId(). :)
> // ---- 2ème requête : nom de l'utilisateur ---/
> $res2 = $dbw->query("SELECT rev_user_text FROM $table_2 WHERE
> rev_page = \"$id_page\" LIMIT 1;");
You should use "ORDER BY rev_timestamp LIMIT 1" to ensure that the proper index
sort is used.
-- brion vibber (brion @ pobox.com)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
Url : http://lists.wikimedia.org/pipermail/mediawiki-l/attachments/20060503/13dd94cf/attachment.pgp
More information about the MediaWiki-l
mailing list