[Mediawiki-l] attack of the backslashes (IE and forms?)

Brion Vibber brion at wikimedia.org
Wed Aug 22 15:15:08 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jim Hu wrote:
> 		$this->row_data = mysql_real_escape_string($this->row_data);		
> 		if (!$this->row_id){
> 			$sql = "INSERT INTO $wgTableEditDatabase.row VALUES(
> 				null,
> 				'$this->box_id',
> 				'$this->owner_uid',
> 				'$this->row_data',
> 				'$this->row_style',
> 				'$this->row_sort_order',
> 				'".time()."'
> 				)";

*sob*

> I'm thinking that I should probably be using $dbr->insert 
> (..arrays..), $dbr->update(.. arrays..), and $dbr->delete(...  
> arrays...).

Yes please. :D

> Should I be using $dbr->safeQuery instead of mysql_real_escape_string?

You could, but for simple queries like this I'd much rather see the
insert(), update(), etc wrappers used. Less likelihood of user error. :)

- -- brion vibber (brion @ wikimedia.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGzFL8wRnhpk1wk44RArlKAKCV2Je+bnvs1tHOcFoUFyawZNsa8wCdG0DU
0hUDGo2P3JmWA7W/u3b3Q/w=
=oqlb
-----END PGP SIGNATURE-----



More information about the MediaWiki-l mailing list