DB Safety - Tickets - Traq

#215 - DB Safety

Type Enhancement

Status Closed

Milestone 3.0

Version 3.0

Component -

Priority Low

Severity Minor

Owner Devon

Assigned to -

Reported 12 years ago

Updated 10 years ago

Votes 0

Related tickets

Proposed time

Worked time

Hey guys,

I had a quick look @ 3.0 repo, but cant seem to find the equivalent of 2.2's db.class.php, specifically looking for the function(s) realescape || res In 2.2 I added to that class (I also made a post on the Traq blog >__> ) But you should add more safety to the function, I'm not going to setup a full pull request just to add it but.. :

If you need to ONLY use mysql_real_escape_string on something, I would suggest this in another function (I usually name it sanitizeString ;) )

/**

Super safety, combining all "escapers" **/ public function realescape($string) { $string = strip_tags ($string); $string = htmlentities($string); $string = stripslashes($string); return mysql_real_escape_string($string,$this->link); }

Ticket History

12 years and 9 months ago by Devon

Type Defect Enhancement

Jack closed as Closed 12 years and 9 months ago

Traq 3.0 runs on a custom made framework which is located in the system/core directory.

The database functions are split into three files and classes.

There's the main database class that has the connect/select db/escape/etc functions, there's the query builder class (where/limit/order/etc) and then there's the statement class (fetch all/fetch assoc/num rows/etc).

These files are located in the system/core/database directory.

I'll be sticking with MySQL(i)'s real_escape_string, I don't want to strip anything from the original input as Traq relies on that original input in some places. For example on the Project and Milestone information pages, Markdown is going to be used, but where markdown doesn't supply a way to do something, regular old HTML will be used.

Traq 3.0 also uses an ORM (a currently experimental one being made for Traq 3.0) for most of the database stuff.