Thread: [How To] Never Worry About SQL Injections and Queries Again
View Single Post
  #3  
Old 03-29-2012, 05:33 PM
vbresults vbresults is offline
 
Join Date: Apr 2009
Posts: 687
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by kh99 View Post
Interesting idea - it definitely would help by making sure that any strings are escaped. However, I don't agree with your assertion that it's "a lot simpler". In fact, I find the second example to be a bit misleading because normally you would not collect all the records in an array, but instead you'd process them in a loop. So the second case using your product would require a for loop after it to process the records - the same loop that appears in the "common way" example. Also, collecting all the records in an array holds them all in memory at the same time, which could be an issue for a query that returns a lot of large records. One more thing that I admit is nit-picking - you probably would not need to worry about escaping a userid that was passed in $vbulletin->GPC['userid'] because you would have "cleaned" it using TYPE_INT (and you'd probably want to check for it being a postivie integer before going ahead with a query).

That said, it's a good idea, and there are probably people who aren't confident in their ability to ensure that all strings are escaped before using them in a query. Can't argue with the fact that that's been the issue in a couple of recent mod security problems, so using this would probably have avoided them.

Thanks for sharing this.
It would make sure that any strings are escaped as you said. Most add-on queries that would cause a performance hit can have the limit adjusted or results paginated. Also, note that the read example was just that -- an example. I'll adjust it, but who's nit-picking now?

I really do hope coders start using this; it would change hundreds if not thousands of lives.

My pleasure to share.
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01209 seconds
  • Memory Usage 1,766KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_quote
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete