| Subject: | this class isn't safe for sql... |
|---|
| Summary: | Package rating comment |
|---|
| Messages: | 3 |
|---|
| Author: | Andrea Venturi |
|---|
| Date: | 2008-06-15 13:28:42 |
|---|
| Update: | 2008-09-02 19:35:34 |
|---|
| |
|
|
Andrea Venturi rated this package as follows:
| Utility: | Good |
|---|
| Consistency: | Good |
|---|
| Documentation: | Good |
|---|
| Examples: | Good |
|---|
|
|
 Andrea Venturi - 2008-06-15 13:28:43 this class isn't safe for sql injection, i added a small function for parsing inputs before use in production.
John Vaughan - 2008-08-22 16:46:25 - In reply to message 1 from Andrea VenturiHello Andrea,
Would you mind posting your modifications? I think this is a great class as well, but needs some SQL injection prevention to round it off. You can also email me directly at jjvaughan at gmail
Thanks for sharing!
-John
Andrea Venturi - 2008-09-02 19:35:34 - In reply to message 2 from John VaughanI took the escape function from this class: http://www.phpclasses.org/browse/file/13783.html
function sql_quote($value)
{
if( get_magic_quotes_gpc() )
{
$value = stripslashes($value);
}
//check if this function exists
if( function_exists( 'mysql_real_escape_string' ) )
{
$value = mysql_real_escape_string($value, $this->dbh);
}
//for PHP version < 4.3.0 use addslashes
else
{
$value = addslashes($value);
}
return $value;
}
|
