On Mon, 2002-02-11 at 00:21, * R&zE: wrote: > I understand you try to 'protect' your own product, but you have to > stay a bit realistic about some things. Ofcourse I check the input. > But you know... there's absolutely nothing wrong with allowing > quotes to be stored in the database. It's just that awful 'feature' > that makes it rather dangerous to do. If that feature/bug was > documented _anywhere_ it would still not be good, but at least > someone would know that PHP does this. But no... it's not > documented, not anywhere! You can't check user input on stuff you > don't know it can harm anything. Like I said... quotes are very > normal to be allowed in the database. > > It would be a good thing if you guys do something of: > > 1. Good rid of the bug(/feature) right a way or > 2. Document it clearly. Eg. in the documentation of odbc_execute().
OK, I checked into this further, and I must apologize: you are correct. I suspect that most of us didn't remember that this feature even existed... Anyway, I have now documented this, along with several of its existing restrictions. It should show up in the online manual within the next few days. FWIW, this feature currently (in all versions up to 4.1.1) suffers from the following problems: o File reading is not subject to open_basedir. o File reading is not subject to safe_mode. o The last character of the filename parameter is replaced with \0 after the call to odbc_execute(). o This kinda makes it impossible to use a string which begins and ends with single quotes as a parameter replacement. These are also in the documentation which I added to odbc_execute(). I've submitted patches for the first three problems to the dev team; I guess we'll see whether someone gets around to committing them in time for 4.2.0. I personally would like to see a cleaner way to do this though. Torben > -- > > * R&zE: -- Torben Wilson <[EMAIL PROTECTED]> http://www.thebuttlesschaps.com http://www.hybrid17.com http://www.inflatableeye.com +1.604.709.0506 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
