Jeremy Jongsma wrote:
On Fri, 14 Oct 2005 10:34:14 -0500, garaged garaged@gmail.com wrote:
The postgress support (using pear) may be important, but doesnt make sense to port DB interaction to adodb ?? is there any reason for not using it and use pear libraries
I don't think there's any reason to switch now that it's in place. They are both capable packages.
One thing I noticed in almost all of the DB code is that most or all of it seems to use sprintf-constructed SQL strings, not prepared statements. It would be pretty easy for an attacker to inject malicious SQL into the system.
Pear::DB supports parameter binding in both prepare() and query(). rcube_db::query() should take an optional array parameter, which it could then pass through to Pear::DB's query(), which would take care of all the necessary parameter escaping, and would also usually improve performance (depending if the database supports prepared statements).
Then code like this (parameters indented for clarity):
$sql_result = $DB->query(sprintf("SELECT cache_id, data FROM %s WHERE user_id=%d AND cache_key='%s'", get_table_name('cache'), $_SESSION['user_id'], $key ) );
could be changed to this:
$sql_result = $DB->query(sprintf("SELECT cache_id, data FROM %s WHERE user_id=? AND cache_key=?", get_table_name('cache') ), array($_SESSION['user_id'], $key) );
Thoughts?
I certainly agree that it should be done that way. The only thing that I would add, is that we need to be a little bit careful about the "FROM %s" portion, since some names would need to be quoted. And we have the same issue with some of the column names. ("default" for instance). But we could probably handle both of them with a "get_table_name()" and a "get_column_name()" function.
John =:->
-j