Le dimanche 25 juin 2006 à 20:00 -0400, Chris Morgan a écrit : > Hi Jonathan. > > You'll want to talk to EA about the filtering changes. The plan is to > filter using the same syntax and flags that the php filter extension > is going to use so we can easily switch over to this extension in the > future.
I know we could use PEAR and we could also use a database abstraction layer, I just thought my solution was better because it has proven to work well on several projects I worked recently and is recommanded by the php manual (and it makes queries more readable than using other syntaxes). > > Also, I've submitted a patch for review to [EMAIL PROTECTED] and > [EMAIL PROTECTED] that removes all of our get_magic_quotes_gpc() > use and adds a check in include/incl.php that warns and prevents appdb > from running if magic quotes is enabled. So you shouldn't need to > have any get_magic_quotes_gpc() checks anymore. Isn't it better to support both configurations ? My solution works with or without magic quotes. > > I also noticed your quote_smart_sql() call. This call isn't used > anywhere, we shouldn't add calls to functions that aren't called. We It is used in 3/3. > also already have a function that will make sql calls safe called > query_paramters() in include/db.php. Also, do we want to strip tags > from sql? Won't that remove all tags from things like app/version > descriptions, comments and notes? No, there is a parameter in this function (quote_smart_sql). By default we don't remove html, but for some fields we might want to filter out html (comment titles, etc.) Thanks. Jonathan
signature.asc
Description: Ceci est une partie de message numériquement signée
