Forums / Developer / SQL injection possible?

SQL injection possible?

Previous topic

Developer

Next topic

Author	Message
Claudia Kosny	Friday 03 November 2006 1:18:12 am Hi there My users can update some data on some objects using a webform. Due to technical reasons I cannot use the regular content/edit functionality so I have written an extension that takes the posted data, checks which attributes are posted for which object and then uses something like this: $contentObjectAttribute->setAttribute('data_int', $postedAttributeContent); for each of attribute. This is working fine but I am wondering how much I should worry about quotation marks or sql injection in the posted data. So are there any cleanup functions in the ez sql interface that I can use or does ez automatically check for and remove and possible problems? Thanks for any tips or hints Claudia
Sascha Frinken	Friday 03 November 2006 3:25:34 am Hi Claudia, afaik your attributes will be stored with eZPersistentObject::storeObject. As you can see in http://pubsvn.ez.no/doxygen/ezpersistentobject_8php-source.html (line 00501 i.e) it makes use of $db->escapeString( $value ) which prevents SQL injection. HTH Sascha

Author

Message

Claudia Kosny

Friday 03 November 2006 1:18:12 am

Hi there

My users can update some data on some objects using a webform. Due to technical reasons I cannot use the regular content/edit functionality so I have written an extension that takes the posted data, checks which attributes are posted for which object and then uses something like this:
$contentObjectAttribute->setAttribute('data_int', $postedAttributeContent);
for each of attribute.

This is working fine but I am wondering how much I should worry about quotation marks or sql injection in the posted data.

So are there any cleanup functions in the ez sql interface that I can use or does ez automatically check for and remove and possible problems?

Thanks for any tips or hints

Claudia

Sascha Frinken

Friday 03 November 2006 3:25:34 am

Hi Claudia,

afaik your attributes will be stored with eZPersistentObject::storeObject.
As you can see in http://pubsvn.ez.no/doxygen/ezpersistentobject_8php-source.html (line 00501 i.e) it makes use of $db->escapeString( $value ) which prevents SQL injection.

HTH

Sascha