On Wed, Dec 24, 2008 at 2:19 PM, Daniel Friesen dan_the_man@telus.net wrote:
Agh noooo.... don't base ideas of that crap coded system!
Last time I checked, phpBB was still using raw SQL statements, and instead of properly escaping with a clean system like MediaWiki currently is, they used a method for getting request values which would typecast the value into the same type as the default value. Agh, to be quite honest, the fact that they don't even bother escaping, and only on typecasting most of the input into numbers, is probably the reason why phpBB ends up with so many security issues.
I just looked, and you're right, they seem to rely on things like this for multi-DB support:
/** * Oracle specific code to handle it's lack of sanity * @access private */ function _rewrite_where($where_clause) { preg_match_all('/\s*(AND|OR)?\s*([\w_.]++)\s*(?:(=|<[=>]?|>=?)\s*((?>'(?>[^']++|'')*+'|[\d-.]+))|((NOT )?IN\s*((?>'(?>[^']++|'')*+',? ?|[\d-.]+,? ?)*+)))/', $where_clause, $result, PREG_SET_ORDER); $out = ''; foreach ($result as $val)
Probably not a model we want to follow, although I don't think that using raw SQL is necessarily bad in principle (using string concatenation to include variables certainly is, though).