[Mediawiki-l] attack of the backslashes (IE and forms?)

Jim Hu jimhu at tamu.edu
Wed Aug 22 01:17:46 UTC 2007


On Aug 21, 2007, at 7:50 PM, Rob Church wrote:

> On 22/08/07, Jim Hu <jimhu at tamu.edu> wrote:
>> I use mysql_real_escape_string before saving to the database.  I use
>> stripslashes when I get it back out.
>
> This is superfluous; no extra slashes are *saved* into the database.

hmm... so that makes it even more mysterious.  sigh.  When the  
slashes go nuts, they're definitely in the database.  I assume that  
you weren't saying that mysql_real_escape_string is superfluous.  Or  
is it?  I have a feeling that I'm not using the abstraction provided  
by the MW database functions properly.  For example, the method in my  
row class to save back to the database is

	function db_save_row(){
		global $wgTableEditDatabase;			
		# $this->row_id set when data previously pulled from database
		# for a row only set in temp space, should be undef
		$dbr =& wfGetDB( DB_SLAVE );
		if ($this->row_data == '') return; # don't save rows with no data  
or || delimiters
		$this->row_data = mysql_real_escape_string($this->row_data);		
		if (!$this->row_id){
			$sql = "INSERT INTO $wgTableEditDatabase.row VALUES(
				null,
				'$this->box_id',
				'$this->owner_uid',
				'$this->row_data',
				'$this->row_style',
				'$this->row_sort_order',
				'".time()."'
				)";
			$result = $dbr->query($sql);
			$this->row_id = $dbr->insertId();
		}elseif($this->is_current === true){
			# it's in the DB and it's current, update it.
			$sql = "UPDATE $wgTableEditDatabase.row SET
				owner_uid='$this->owner_uid',
				row_data='$this->row_data',
				row_style = '$this->row_style',
				row_sort_order = '$this->row_sort_order',
				timestamp = '".time()."'
				WHERE row_id = '$this->row_id'";
			$result = $dbr->query($sql);
		}else{
			#it's in the DB but it's not current.  Delete it from the DB
			$sql = "DELETE FROM $wgTableEditDatabase.row WHERE row_id = '$this- 
 >row_id'";
			$result = $dbr->query($sql);
		}
	return;		
	}

I'm thinking that I should probably be using $dbr->insert 
(..arrays..), $dbr->update(.. arrays..), and $dbr->delete(...  
arrays...).
Should I be using $dbr->safeQuery instead of mysql_real_escape_string?

I did tell you my code was hacky!!

Jim

>
>
> Rob Church
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054




More information about the MediaWiki-l mailing list