Fork me on GitHub
Subscribe 1

Ticket #515 (fixed bug)

DB Layer: Escape table names etc.

  • Created: 2011-10-19 23:13:03
  • Reported by: Franz
  • Assigned to: Franz
  • Milestone: 2.0-alpha1
  • Component: database
  • Priority: normal

Technically, these values should not come from user input etc.

Since we don't know for sure, though; since this is meant to be used by other projects, too; to be on the safe side; and because I will probably be shot if I don't... we should do it. smile

Discussion: http://fluxbb.org/forums/viewtopic.php?id=5754

History

Franz 2011-11-01 21:45:23

Commit 10c606f to database master

#515: Properly quote strings that are passed into queries.

Franz 2011-11-02 00:02:38

Commit 2c27924 to database master

Add functions quoteTable() and quoteColumn() for escaping table and column names in queries.
Related to #515.

Franz 2011-11-02 22:18:54

Commit fdcd37d to database master

#515: Escape table and column names in queries.
NOTE: This breaks working with things like the forum, because it uses aliases, which is currently absolutely not supported.

Franz 2011-11-03 10:03:33

  • Status changed from open to fixed.

Well, ok, I quoted stuff where possible.

Unfortunately, properly quoting table and field names is not worth the overhead.

This does not mean that things are not safe (especially not in the core), but now (extension) developers are responsible themselves for making sure that there are no unsanitized table or column names in query objects.