[Mediawiki-l] attack of the backslashes (IE and forms?)

Jim Hu jimhu at tamu.edu
Wed Aug 22 15:44:11 UTC 2007 

On Aug 22, 2007, at 10:15 AM, Brion Vibber wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jim Hu wrote:
>> 		$this->row_data = mysql_real_escape_string($this->row_data);		
>> 		if (!$this->row_id){
>> 			$sql = "INSERT INTO $wgTableEditDatabase.row VALUES(
>> 				null,
>> 				'$this->box_id',
>> 				'$this->owner_uid',
>> 				'$this->row_data',
>> 				'$this->row_style',
>> 				'$this->row_sort_order',
>> 				'".time()."'
>> 				)";
>
> *sob*

Sorry!!  Wow, now I really feel guilty.  It used to be worse... I was  
doing mysql queries directly from php when I started <ducking>

>
>> I'm thinking that I should probably be using $dbr->insert
>> (..arrays..), $dbr->update(.. arrays..), and $dbr->delete(...
>> arrays...).
>
> Yes please. :D

Well, I need to do some major refactoring of the TableEdit extension  
soon (need to be able to handle rollback, for example), so that's a  
good opportunity.

I also just realized recently that I should be using the XML methods  
for forms.  Now that my project has minions, I have to make sure I  
don't teach them my bad habits.

>
>> Should I be using $dbr->safeQuery instead of  
>> mysql_real_escape_string?
>
> You could, but for simple queries like this I'd much rather see the
> insert(), update(), etc wrappers used. Less likelihood of user  
> error. :)

So the wrappers take care of cleaning up things like quotes and  
returns in the round trip?  Oh man, I really should have studied the  
Database.php code more.  As I learn this stuff, I'll try to update  
the guide for extension authors on mediawiki.org (if someone else who  
really knows what they're doing doesn't beat me to it).

I realize that you guys didn't start this as a system for self- 
teaching OO PHP, but that's what it's been for me.  Thanks for the  
patience and the feedback.

Jim

>
> - -- brion vibber (brion @ wikimedia.org)
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFGzFL8wRnhpk1wk44RArlKAKCV2Je+bnvs1tHOcFoUFyawZNsa8wCdG0DU
> 0hUDGo2P3JmWA7W/u3b3Q/w=
> =oqlb
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> MediaWiki-l mailing list
> MediaWiki-l at lists.wikimedia.org
> http://lists.wikimedia.org/mailman/listinfo/mediawiki-l

=====================================
Jim Hu
Associate Professor
Dept. of Biochemistry and Biophysics
2128 TAMU
Texas A&M Univ.
College Station, TX 77843-2128
979-862-4054

More information about the MediaWiki-l mailing list