Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move completely to a safe query structure on donations.vipulnaik.com #127

Closed
vipulnaik opened this issue Jan 20, 2020 · 2 comments
Closed
Assignees

Comments

@vipulnaik
Copy link
Owner

vipulnaik commented Jan 20, 2020

Currently, the query structure uses string interpolation to fill in values of donor, donee etc. In theory, this could allow for some kind of SQL injection into the query that could cause inappropriate SQL code to be run. I would like to move to a safer query structure that uses prepared statements.

We've already been using this safer query structure in a few places, so it should be easy to do. It just needs to be applied across a bunch of files.

See also vipulnaik/contractwork#21

@riceissa
Copy link
Collaborator

I will be working here: https://github.com/vipulnaik/donations/tree/safe-query

@riceissa
Copy link
Collaborator

riceissa commented Jan 21, 2020

Ok, I think I found and replaced all of them. There's only one line that uses $mysqli -> query() now, and that query doesn't have any parameters.

There are still queries that use string interpolation, e.g. for $numDoneesToShowInLimitedView, but this is safe since these use variables that are defined in the source (rather than obtained via user input).

ETA: I'm getting some bugs so I'll fix those.

ETA2: I've fixed all the bugs so this should be ready to be pulled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants