[Mediawiki-l] attack of the backslashes (IE and forms?)
Jim Hu
jimhu at tamu.edu
Wed Aug 22 15:44:11 UTC 2007
On Aug 22, 2007, at 10:15 AM, Brion Vibber wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Hu wrote:
>> $this->row_data = mysql_real_escape_string($this->row_data);
>> if (!$this->row_id){
>> $sql = "INSERT INTO $wgTableEditDatabase.row VALUES(
>> null,
>> '$this->box_id',
>> '$this->owner_uid',
>> '$this->row_data',
>> '$this->row_style',
>> '$this->row_sort_order',
>> '".time()."'
>> )";
>
> *sob*
Sorry!! Wow, now I really feel guilty. It used to be worse... I was
doing mysql queries directly from php when I started <ducking>
>
>> I'm thinking that I should probably be using $dbr->insert
>> (..arrays..), $dbr->update(.. arrays..), and $dbr->delete(...
>> arrays...).
>
> Yes please. :D
Well, I need to do some major refactoring of the TableEdit extension
soon (need to be able to handle rollback, for example), so that's a
good opportunity.
I also just realized recently that I should be using the XML methods
for forms. Now that my project has minions, I have to make sure I
don't teach them my bad habits.
>
>> Should I be using $dbr->safeQuery instead of
>> mysql_real_escape_string?
>
> You could, but for simple queries like this I'd much rather see the
> insert(), update(), etc wrappers used. Less likelihood of user
> error. :)
So the wrappers take care of cleaning up things like quotes and
returns in the round trip? Oh man, I really should have studied the
Database.php code more. As I learn this stuff, I'll try to update
the guide for extension authors on mediawiki.org (if someone else who
really knows what they're doing doesn't beat me to it).
I realize that you guys didn't start this as a system for self-
teaching OO PHP, but that's what it's been for me. Thanks for the
patience and the feedback.
Jim
>
> - -- brion vibber (brion @ wikimedia.org)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGzFL8wRnhpk1wk44RArlKAKCV2Je+bnvs1tHOcFoUFyawZNsa8wCdG0DU
> 0hUDGo2P3JmWA7W/u3b3Q/w=
> =oqlb
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l
=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054
More information about the MediaWiki-l
mailing list