Re: [Wikitech-l] enumcat extension

On Dec 17, 2004, at 11:29 AM, ThomasV wrote: First, this code contains an SQL injection vulnerability: user-supplied input is directly inserted into an SQL statement without processing. This is something you need to be *very* careful about on a web application where anybody in the world can put any data they please into your program. At a minimum, the SQL injection can be used as a DoS vector, to force a very large number of rows to be pulled (all categorized pages in the entire database). It may or may not be possible to exploit it in even more malicious ways (altering data without showing in the audit trail, or extracting restricted-access user data such as e-mail and passwords, etc). If you construct a raw query, user-supplied data should always first be encoded to ensure that special characters (such as single quotes and backslashes) are interpreted correctly as text and that the SQL statement cannot be subverted. Use Database::strencode() or Database::addQuotes(), or the Database::safeQuery() wrapper function. Alternatively, use the fancier array-based wrapper functions to construct the query. A couple more general issues... This will pull all categorized pages for the given category. Potentially this could be tens of thousands of titles for large categories, which can be rather burdensome for the database. You should probably add a cut-off limit. I also recommend using Title::makeTitle() to construct title objects from database-supplied namespace,title pairs rather than cobbling a string together which must be parsed again. Use Skin::makeLinkObj() on a title object. The if/for loop construct at the end could be more cleanly done using the implode() function. -- brion vibber (brion @ pobox.com)