Author Topic: lib/safeescape.php  (Read 5629 times)

Harthas

  • Guest
lib/safeescape.php
« on: April 07, 2008, 12:42:00 pm »
Also this function could abctually be enhanced.
I for myself would simply use following code.

Code: [Select]
function safeescape( $input ){
   $return = addcslashes( $input , '"\'' );
   
   return $return;
}

Probably we could also use addslashes for the whole system (I've just chosen addcslashes to do exactly the same than safeescape did). So we actually do not need a safeescape() anymore (seems to be a relict out of those PHP3 times).

I haven't recognized any problems so far with just addslashes instead of safeescape.


So long - And thanks for all the fish.

Orogan

  • Newbie
  • *
  • Posts: 29
  • Karma: +0/-0
    • View Profile
Re: lib/safeescape.php
« Reply #1 on: April 07, 2008, 12:57:30 pm »
You have a vaild point there Harthas, PHP3 should be replaced by OOP. 

On DP i remember reading through something about / & \ at output and input though for the life of me i cannot remember who posted it.

Nightborn

  • Administrator
  • Sr. Member
  • *****
  • Posts: 320
  • Karma: +20/-0
    • View Profile
    • Shinobilegends
Re: lib/safeescape.php
« Reply #2 on: April 07, 2008, 01:06:36 pm »
Orogan, the point here is to keep people from doing mysql injections ^^ that can break stuff.

$gold=httppost('gold'); //this is NOT in the allowed navs array

$sql="Update accounts set gold='".$gold."' WHERE acctid=3";
db_query($sql);

and you can manipulate that. You can make ANY sql query possible.

normally I just use

$gold=(int)httppost('gold');

how often does safeescape get used anyway Oo I did not know that function still existed.
It should be fixed, but it won't be easy and it won't be fast. If you want
to help - wonderful. But keep in mind that it will take months of wading
through the ugliest code we have in the tree. If you've got a weak stomach -
stay out. I've been there and it's not a nice place.

   - Al Viro

Harthas

  • Guest
Re: lib/safeescape.php
« Reply #3 on: April 07, 2008, 01:12:05 pm »
About 5 times (In systemmail.php and clan_membership.php

Nightborn

  • Administrator
  • Sr. Member
  • *****
  • Posts: 320
  • Karma: +20/-0
    • View Profile
    • Shinobilegends
Re: lib/safeescape.php
« Reply #4 on: April 07, 2008, 01:26:15 pm »
hm, I might check up  the difference to the current php core function, but I believe " and ' are already both escaped.
It should be fixed, but it won't be easy and it won't be fast. If you want
to help - wonderful. But keep in mind that it will take months of wading
through the ugliest code we have in the tree. If you've got a weak stomach -
stay out. I've been there and it's not a nice place.

   - Al Viro

Harthas

  • Guest
Re: lib/safeescape.php
« Reply #5 on: April 07, 2008, 07:20:56 pm »
Of course, for MySQL-data mysql_real_escape_string is the best ;-)

Escaped in PHPcore by Default? That would be nice of course. Or is it a setting in the php.ini?