[sork] Is /admin part of sork? + patches for samba and apg.

Eric Rostetter eric.rostetter@physics.utexas.edu
Thu, 25 Jul 2002 13:34:17 -0500

Previous message: [sork] Is /admin part of sork? + patches for samba and apg.
Next message: [sork] Is /admin part of sork? + patches for samba and apg.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Ilya <mail@krel.org>:

> i am actually more concerned about possibility of sql statement injection,
> than if mail being lost, due to inability to type ;)

Yeah.  That's not an issue for the .forward based module.  But would be
for sql, and maybe others.  I'd suggest trying the PEAR DB::quote 
function as far as sql goes:

    /**
    * Quote the given string so it can be safely used within string delimiters
    * in a query.
    * @param $string mixed Data to be quoted
    * @return mixed "NULL" string, quoted string or original data
    */
    function quote($str = null)

I'm guessing there must be lots of examples in the Horde/IMP code (like
the preferences code, etc).  

You could also use some of the php quoting functions, though I would
hope the PEAR stuff would do everything needed.

Anyone who knows more about PHP sql quoting want to speak up?

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.

Previous message: [sork] Is /admin part of sork? + patches for samba and apg.
Next message: [sork] Is /admin part of sork? + patches for samba and apg.
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]