Hey guys,
I had a quick look @ 3.0 repo, but cant seem to find the equivalent of 2.2's db.class.php, specifically looking for the function(s) realescape || res In 2.2 I added to that class (I also made a post on the Traq blog >__> ) But you should add more safety to the function, I'm not going to setup a full pull request just to add it but.. :
If you need to ONLY use mysql_real_escape_string on something, I would suggest this in another function (I usually name it sanitizeString ;) )
/**
Traq 3.0 runs on a custom made framework which is located in the
system/core
directory.The database functions are split into three files and classes.
There's the main database class that has the connect/select db/escape/etc functions, there's the query builder class (where/limit/order/etc) and then there's the statement class (fetch all/fetch assoc/num rows/etc).
These files are located in the
system/core/database
directory.I'll be sticking with MySQL(i)'s
real_escape_string
, I don't want to strip anything from the original input as Traq relies on that original input in some places. For example on the Project and Milestone information pages, Markdown is going to be used, but where markdown doesn't supply a way to do something, regular old HTML will be used.Traq 3.0 also uses an ORM (a currently experimental one being made for Traq 3.0) for most of the database stuff.