Wrong abstruction in MyTextSanitizer
Date 2006-06-03 04:38:17 | Category: XOOPS
|
Do you know MyTextSanitizer::addSlashes()? This is not a wrapper method for addslashes() though it sounds natural.
True transaction in MyTextSanitizer::addSlashes() is ...
magic_quotes_gpc=on : do nothing magic_quotes_gpc=off : addslashes()
Such design of abstruction cause SQL Injection vulnerabilities with the environment of magic_quotes_gpc=on. (eg. Xoops Search module)
- delete the method of addSlashes() - rename addSlashes() into addSlashesGPC()
Either should be done.
|
|