Wrong abstruction in MyTextSanitizer

Date 2006-06-03 04:38:17 | Category: XOOPS
in englishin japanese
Do you know MyTextSanitizer::addSlashes()?
This is not a wrapper method for addslashes() though it sounds natural.

True transaction in MyTextSanitizer::addSlashes() is ...

magic_quotes_gpc=on : do nothing
magic_quotes_gpc=off : addslashes()

Such design of abstruction cause SQL Injection vulnerabilities with the environment of magic_quotes_gpc=on.
(eg. Xoops Search module)

- delete the method of addSlashes()
- rename addSlashes() into addSlashesGPC()

Either should be done.


You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=121