I’m working on the new Forms system and I realized something: by default, query parameters are NOT protected. I will not debate on SQL injection (consult the Oracle), but I want to stress out that you SHOULD ALWAYS protect the parameters, the easy way is to use the autoProtect
field:
class HTVP_filmUpdate extends PHPDS_query
{
protected $sql = 'UPDATE `table` SET `field` = "%(parameter)s" WHERE `id` = %(id)d';
protected $autoProtect = true;
}
(of course it’s not necessary if you deal only with %d parameters)
You can also use $autoQuote = true
to automatically add quotes to your parameters.
Post your comment on this topic.