On Dec 17, 2004, at 11:29 AM, ThomasV wrote:
I just wrote an extension that hashar was kind enough
to commit to cvs.
It is named enumcat. Its purpose is to display the members of a
category in a normal page, with a pipe separator.
Please bear with me if the code is ugly. I know it is, but it is my
very first program in php. Among other inelegant things, the
syntax: it uses the second parameter (sortkey) of a category
to display its text, which is not the standard use of a sortkey.
First, this code contains an SQL injection vulnerability: user-supplied
input is directly inserted into an SQL statement without processing.
This is something you need to be *very* careful about on a web
application where anybody in the world can put any data they please
into your program.
At a minimum, the SQL injection can be used as a DoS vector, to force a
very large number of rows to be pulled (all categorized pages in the
entire database). It may or may not be possible to exploit it in even
more malicious ways (altering data without showing in the audit trail,
or extracting restricted-access user data such as e-mail and passwords,
etc).
If you construct a raw query, user-supplied data should always first be
encoded to ensure that special characters (such as single quotes and
backslashes) are interpreted correctly as text and that the SQL
statement cannot be subverted. Use Database::strencode() or
Database::addQuotes(), or the Database::safeQuery() wrapper function.
Alternatively, use the fancier array-based wrapper functions to
construct the query.
A couple more general issues...
This will pull all categorized pages for the given category.
Potentially this could be tens of thousands of titles for large
categories, which can be rather burdensome for the database. You should
probably add a cut-off limit.
I also recommend using Title::makeTitle() to construct title objects
from database-supplied namespace,title pairs rather than cobbling a
string together which must be parsed again. Use Skin::makeLinkObj() on
a title object.
The if/for loop construct at the end could be more cleanly done using
the implode() function.
-- brion vibber (brion @
pobox.com)