Re: Proposal to secure $xoopsDB->query method
Posted by Vaughan on 1207473965
if the inputs were properly sanitized and the queries properly escaped, i don't think we would need to worry about the above too much.
what we need to find out more is why module developers create their own classes instead of using the cores class for sanitizing. if the core sanitizer is not upto the job then it needs to made to do it's job, so that module developers have no need to write their own classes in the 1st place, modules should always be using the core classes and functions for sanitizing and the likes, but in many cases they don't.
is it because module developers don't know about existing core functions/classes or is it because the existing classes etc are not up to scratch.
we should try to make it harder for query's to be executed if $variables etc have not been passed through the sanitizer or escaped properly using specific functions.
is this query clean? yes, then continue executing the query. no, then end query and return to start.
really we can only truly be safer when we go the full OO route, so that all queries, even from modules are all constructed from 1 place by means of the module passing the correct variables to the object class to construct the query, instead of the module doing the query construction itself.
then there'd be no need for a module to have such lines as
$result = $db->query(SELECT * FROM table WHERE id = 1);
in stead we'd pass * to the core along with the table name & other parameters such as id = 1.
and then the core would clean all the variables before it constructs the query itself and then executes it, then the output would then be returned to the module.
so essentially only the core is ever running queries on the DB and not the modules themselves.
what we need to find out more is why module developers create their own classes instead of using the cores class for sanitizing. if the core sanitizer is not upto the job then it needs to made to do it's job, so that module developers have no need to write their own classes in the 1st place, modules should always be using the core classes and functions for sanitizing and the likes, but in many cases they don't.
is it because module developers don't know about existing core functions/classes or is it because the existing classes etc are not up to scratch.
we should try to make it harder for query's to be executed if $variables etc have not been passed through the sanitizer or escaped properly using specific functions.
is this query clean? yes, then continue executing the query. no, then end query and return to start.
really we can only truly be safer when we go the full OO route, so that all queries, even from modules are all constructed from 1 place by means of the module passing the correct variables to the object class to construct the query, instead of the module doing the query construction itself.
then there'd be no need for a module to have such lines as
$result = $db->query(SELECT * FROM table WHERE id = 1);
in stead we'd pass * to the core along with the table name & other parameters such as id = 1.
and then the core would clean all the variables before it constructs the query itself and then executes it, then the output would then be returned to the module.
so essentially only the core is ever running queries on the DB and not the modules themselves.
This Post was from: https://www.impresscms.org/iforum/viewtopic.php?topic_id=1438&post_id=13568