[Bb-trac] Re: [bbPress] #692: All bbPress functions that interact with the DB should expect unsanitized data

[bbPress]

#692: All bbPress functions that interact with the DB should expect unsanitized
data
----------------------------+-----------------------------------------------
 Reporter:  mdawaffe        |        Owner:                   
     Type:  defect          |       Status:  new              
 Priority:  normal          |    Milestone:  0.8.3 & XML-RPC  
Component:  Administration  |      Version:  1.0-alpha (trunk)
 Severity:  normal          |   Resolution:                   
 Keywords:                  |  
----------------------------+-----------------------------------------------
Old description:

> bbPress has two kinds of functions that interact with the database:
> those that expect data to be pre-escaped, and those that escape the data
> for you.
>
> All bbPress functions should expect data to be un-escaped.
>
> This means that bbPress will be able to (and should) escape the data
> right before the actual query is made, greatly reducing any chance of SQL
> injection holes in core or plugins.  It also makes passing data around
> between functions easier.
>
> We have a new {{{prepare()}}} method in the DB classes now that will do
> the escaping for us via a printf-like mechanism:
>
> {{{
> $result = $bbdb->get_results( $bbdb->prepare(
>         "SELECT something FROM $bbdb->table WHERE foo = %s LIMIT %d",
>         $value,
>         $number
> ) );
> }}}
>
> See #WP4553
>
> This will "break" some plugins that use certain bbPress functions.  I put
> break in quotes because the only symptom will be extra slashes (which
> are, granted, super annoying).  The present and future benefits, I think,
> will greatly outweigh any backward incompatibility.

New description:

 bbPress has two kinds of functions that interact with the database:  those
 that expect data to be pre-escaped, and those that escape the data for
 you.

 All bbPress functions should expect data to be un-escaped.

 This means that bbPress will be able to (and should) escape the data right
 before the actual query is made, greatly reducing any chance of SQL
 injection holes in core or plugins.  It also makes passing data around
 between functions easier.

 We have a new {{{prepare()}}} method [906] in the DB classes now that will
 do the escaping for us via a printf-like mechanism:

 {{{
 $result = $bbdb->get_results( $bbdb->prepare(
         "SELECT something FROM $bbdb->table WHERE foo = %s LIMIT %d",
         $value,
         $number
 ) );
 }}}

 See #WP4553

 This will "break" some plugins that use certain bbPress functions.  I put
 break in quotes because the only symptom will be extra slashes (which are,
 granted, super annoying).  The present and future benefits, I think, will
 greatly outweigh any backward incompatibility.

-- 
Ticket URL: <http://trac.bbpress.org/ticket/692#comment:1>
bbPress <http://bbpress.org/>
Innovative forum development