lib/safeescape.php

[Harthas]

Also this function could abctually be enhanced.
I for myself would simply use following code.

Code:

function safeescape( $input ){
   $return = addcslashes( $input , '"\'' );
   
   return $return;
}

Probably we could also use addslashes for the whole system (I've just chosen addcslashes to do exactly the same than safeescape did). So we actually do not need a safeescape() anymore (seems to be a relict out of those PHP3 times).

I haven't recognized any problems so far with just addslashes instead of safeescape.


So long - And thanks for all the fish.

[Orogan]

You have a vaild point there Harthas, PHP3 should be replaced by OOP. 

On DP i remember reading through something about / & \ at output and input though for the life of me i cannot remember who posted it.

[Nightborn]

Orogan, the point here is to keep people from doing mysql injections ^^ that can break stuff.

$gold=httppost('gold'); //this is NOT in the allowed navs array

$sql="Update accounts set gold='".$gold."' WHERE acctid=3";
db_query($sql);

and you can manipulate that. You can make ANY sql query possible.

normally I just use

$gold=(int)httppost('gold');

how often does safeescape get used anyway Oo I did not know that function still existed.

[Harthas]

About 5 times (In systemmail.php and clan_membership.php

[Nightborn]

hm, I might check up  the difference to the current php core function, but I believe " and ' are already both escaped.

[Harthas]

Of course, for MySQL-data mysql_real_escape_string is the best ;-)

Escaped in PHPcore by Default? That would be nice of course. Or is it a setting in the php.ini?