[Bb-trac] Re: [bbPress] #692: All bbPress functions that interact
with the DB should expect unsanitized data
bbPress
bb-trac at lists.bbpress.org
Fri Jul 13 23:36:46 GMT 2007
#692: All bbPress functions that interact with the DB should expect unsanitized
data
----------------------------+-----------------------------------------------
Reporter: mdawaffe | Owner:
Type: defect | Status: new
Priority: normal | Milestone: 0.8.3 & XML-RPC
Component: Administration | Version: 1.0-alpha (trunk)
Severity: normal | Resolution:
Keywords: |
----------------------------+-----------------------------------------------
Old description:
> bbPress has two kinds of functions that interact with the database:
> those that expect data to be pre-escaped, and those that escape the data
> for you.
>
> All bbPress functions should expect data to be un-escaped.
>
> This means that bbPress will be able to (and should) escape the data
> right before the actual query is made, greatly reducing any chance of SQL
> injection holes in core or plugins. It also makes passing data around
> between functions easier.
>
> We have a new {{{prepare()}}} method in the DB classes now that will do
> the escaping for us via a printf-like mechanism:
>
> {{{
> $result = $bbdb->get_results( $bbdb->prepare(
> "SELECT something FROM $bbdb->table WHERE foo = %s LIMIT %d",
> $value,
> $number
> ) );
> }}}
>
> See #WP4553
>
> This will "break" some plugins that use certain bbPress functions. I put
> break in quotes because the only symptom will be extra slashes (which
> are, granted, super annoying). The present and future benefits, I think,
> will greatly outweigh any backward incompatibility.
New description:
bbPress has two kinds of functions that interact with the database: those
that expect data to be pre-escaped, and those that escape the data for
you.
All bbPress functions should expect data to be un-escaped.
This means that bbPress will be able to (and should) escape the data right
before the actual query is made, greatly reducing any chance of SQL
injection holes in core or plugins. It also makes passing data around
between functions easier.
We have a new {{{prepare()}}} method [906] in the DB classes now that will
do the escaping for us via a printf-like mechanism:
{{{
$result = $bbdb->get_results( $bbdb->prepare(
"SELECT something FROM $bbdb->table WHERE foo = %s LIMIT %d",
$value,
$number
) );
}}}
See #WP4553
This will "break" some plugins that use certain bbPress functions. I put
break in quotes because the only symptom will be extra slashes (which are,
granted, super annoying). The present and future benefits, I think, will
greatly outweigh any backward incompatibility.
--
Ticket URL: <http://trac.bbpress.org/ticket/692#comment:1>
bbPress <http://bbpress.org/>
Innovative forum development
More information about the Bb-trac
mailing list