On Wed, Dec 24, 2008 at 2:19 PM, Daniel Friesen <[email protected]> wrote:
> Agh noooo.... don't base ideas of that crap coded system!
>
>
> Last time I checked, phpBB was still using raw SQL statements, and
> instead of properly escaping with a clean system like MediaWiki
> currently is, they used a method for getting request values which would
> typecast the value into the same type as the default value. Agh, to be
> quite honest, the fact that they don't even bother escaping, and only on
> typecasting most of the input into numbers, is probably the reason why
> phpBB ends up with so many security issues.
I just looked, and you're right, they seem to rely on things like this
for multi-DB support:
/**
* Oracle specific code to handle it's lack of sanity
* @access private
*/
function _rewrite_where($where_clause)
{
preg_match_all('/\s*(AND|OR)?\s*([\w_.]++)\s*(?:(=|<[=>]?|>=?)\s*((?>\'(?>[^\']++|\'\')*+\'|[\d-.]+))|((NOT
)?IN\s*\((?>\'(?>[^\']++|\'\')*+\',? ?|[\d-.]+,? ?)*+\)))/',
$where_clause, $result, PREG_SET_ORDER);
$out = '';
foreach ($result as $val)
Probably not a model we want to follow, although I don't think that
using raw SQL is necessarily bad in principle (using string
concatenation to include variables certainly is, though).
_______________________________________________
Wikitech-l mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
