You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the query structure uses string interpolation to fill in values of donor, donee etc. In theory, this could allow for some kind of SQL injection into the query that could cause inappropriate SQL code to be run. I would like to move to a safer query structure that uses prepared statements.
We've already been using this safer query structure in a few places, so it should be easy to do. It just needs to be applied across a bunch of files.
Ok, I think I found and replaced all of them. There's only one line that uses $mysqli -> query() now, and that query doesn't have any parameters.
There are still queries that use string interpolation, e.g. for $numDoneesToShowInLimitedView, but this is safe since these use variables that are defined in the source (rather than obtained via user input).
ETA: I'm getting some bugs so I'll fix those.
ETA2: I've fixed all the bugs so this should be ready to be pulled.
Currently, the query structure uses string interpolation to fill in values of donor, donee etc. In theory, this could allow for some kind of SQL injection into the query that could cause inappropriate SQL code to be run. I would like to move to a safer query structure that uses prepared statements.
We've already been using this safer query structure in a few places, so it should be easy to do. It just needs to be applied across a bunch of files.
See also vipulnaik/contractwork#21
The text was updated successfully, but these errors were encountered: