Re: [Phpgroupware-developers] Quotes in Forms

phpgroupware-developers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Phpgroupware-developers] Quotes in Forms

From:	Dave Hall
Subject:	Re: [Phpgroupware-developers] Quotes in Forms
Date:	Thu, 26 Jun 2003 20:36:57 +1000

Ok, time for a whinge

HTML mail annoys the crap out of me - and IncrediMail should be renamed
IncrediStupidMailWhoseDevShouldBeShot!

Secondly, we already have a SQL quoting method in the db classes.  If
you find apps which do not use this, please report bugs on our bug
tracker https://savannah.gnu.org/bugs/?group=phpgroupware

Cheers

Dave
content-type: Multipart/related; type="multipart/alternative";
        boundary="------------Boundary-00=_ZY23G6G0000000000000"


--------------Boundary-00=_ZY23G6G0000000000000
Content-Type: Multipart/Alternative;
  boundary="------------Boundary-00=_ZY23BHK0000000000000"


--------------Boundary-00=_ZY23BHK0000000000000
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

As you could have seen, there is a major security problem in SQL requests=
=2E
you certainly use '+Var+' to quote strings....=0D
=0D
the solution is to create a simple text function named sqlquote which is
like that :=0D
=0D
return "'"+replace(str,"'","''")+"'"=0D
=0D
Requests will be much clear... like=0D
=0D
$sReq =3D "SELECT WHERE COL=3D".sqlquote($var);=0D
=0D
=0D
In France, we often use the quote in sentences... like L'=E9cole, L'ouvri=
er
etc...=0D
=0D
we must write L''=E9cole to write in forums or anywhere in phpgroupware..=
=2E=0D
=0D
Else Fine suite, continue your job like that :)
--------------Boundary-00=_ZY23BHK0000000000000
Content-Type: Text/HTML;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-=
1">
<META content=3D"IncrediMail 1.0" name=3DGENERATOR>
<!--IncrdiXMLRemarkStart>
<IncrdiX-Info>
<X-FID>FLAVOR00-NONE-0000-0000-000000000000</X-FID>
<X-FVER>3.0</X-FVER>
<X-CNT>;</X-CNT>
</IncrdiX-Info>
<IncrdiXMLRemarkEnd-->
</HEAD>
<BODY style=3D"BACKGROUND-POSITION: 0px 0px; FONT-SIZE: 12pt; MARGIN: 5px=
 10px 10px; FONT-FAMILY: Arial" bgColor=3D#ffffff background=3D"" scroll=3D=
yes ORGYPOS=3D"0" X-FVER=3D"3.0">
<TABLE id=3DINCREDIMAINTABLE cellSpacing=3D0 cellPadding=3D2 width=3D"100=
%" border=3D0>
<TBODY>
<TR>
<TD id=3DINCREDITEXTREGION style=3D"FONT-SIZE: 12pt; CURSOR: auto; FONT-F=
AMILY: Arial" width=3D"100%">
<DIV>As you could have seen, there is a major security problem in SQL req=
uests. you certainly use '+Var+' to quote strings....</DIV>
<DIV>&nbsp;</DIV>
<DIV>the solution is to create a simple text function named sqlquote whic=
h is like that :</DIV>
<DIV>&nbsp;</DIV>
<DIV>return "'"+replace(str,"'","''")+"'"</DIV>
<DIV>&nbsp;</DIV>
<DIV>Requests will be much clear... like</DIV>
<DIV>&nbsp;</DIV>
<DIV>$sReq =3D "SELECT WHERE COL=3D".sqlquote($var);</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>In France, we often use the quote in sentences... like L'=E9cole, L'=
ouvrier etc...</DIV>
<DIV>&nbsp;</DIV>
<DIV>we must write L''=E9cole to write in forums or anywhere in phpgroupw=
are...</DIV>
<DIV>&nbsp;</DIV>
<DIV>Else Fine suite, continue your job like that :)</DIV>
<DIV>&nbsp;</DIV></TD></TR>
<TR>
<TD id=3DINCREDIFOOTER width=3D"100%">
<TABLE cellSpacing=3D0 cellPadding=3D0 width=3D"100%">
<TBODY>
<TR>
<TD width=3D"100%"></TD>
<TD id=3DINCREDISOUND vAlign=3Dbottom align=3Dmiddle></TD>
<TD id=3DINCREDIANIM vAlign=3Dbottom align=3Dmiddle></TD></TR></TBODY></T=
ABLE></TD></TR></TBODY></TABLE><SPAN id=3DIncrediStamp><SPAN dir=3Dltr><F=
ONT face=3D"Arial, Helvetica, sans-serif" size=3D2>______________________=
______________________________<BR><FONT face=3D"Comic Sans MS" size=3D2><=
A href=3D"http://www.incredimail.com/redir.asp?ad_id=3D309&amp;lang=3D9";>=
<IMG alt=3D"" hspace=3D0 src=3D"cid:E8B97C67-8663-4DEC-9D8E-F1D5CF8F1E51"=
 align=3Dbaseline border=3D0></A>&nbsp; <I>IncrediMail</I> - <B>Email has=
 finally evolved</B> - </FONT><A href=3D"http://www.incredimail.com/redir=
=2Easp?ad_id=3D309&amp;lang=3D9"><FONT face=3D"Times New Roman" size=3D3>=
<B><U>Click Here</U></B></FONT></A></SPAN></SPAN></FONT></BODY></HTML>
--------------Boundary-00=_ZY23BHK0000000000000--

--------------Boundary-00=_ZY23G6G0000000000000--

_______________________________________________
Phpgroupware-developers mailing list
address@hidden
http://mail.gnu.org/mailman/listinfo/phpgroupware-developers

dave.hall.vcf
Description: Card for <dave.hall@mbox.com.au>

[Prev in Thread]

Current Thread

[Next in Thread]

[Phpgroupware-developers] Quotes in Forms, Tanguy Pruvot, 2003/06/26
- Re: [Phpgroupware-developers] Quotes in Forms, Dave Hall <=

Prev by Date: [Phpgroupware-developers] Quotes in Forms
Next by Date: [Phpgroupware-developers] Some more infos about FLAs
Previous by thread: [Phpgroupware-developers] Quotes in Forms
Next by thread: [Phpgroupware-developers] Some more infos about FLAs
Index(es):
- Date
- Thread