[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WTF

Subject: Re: WTF
From: "Joshua D. Drake" <..hidden..>
Date: Mon, 02 Oct 2006 11:39:56 -0700

Chris Travers wrote:
> In many cases I agree.  For this application, I think it is the wrong
> solution.

I was only speaking to stating that we require at least DBI 1.21.

Joshua D. Drake

> 
> I don't think we should trust any user input enough to allow it to
> arbitrarily specify any non-white-listed resource.  1.2 will implement
> substantive whitelisting for edited files, and we ought to whitelist
> user-agent-supplied db identifiers as well.
> 
> I don't have any issue with quote_identifier.  I just think that in
> *this* case, whitelisting is more appropriate.  For general purpose db
> utils, quote_identifier is more appropriate.
> 
> And I verified that this value is whitelisted (but this only affects
> "$form->{vc}_id" and not $form->{"$form->{vc}_id"}.
> 
> Best Wishes,
> Chris Travers
> 
> On 10/2/06, Joshua D. Drake <..hidden..> wrote:
>>
>> > DBI->quote_identifier(...) was added in DBI 1.21, released Feb 2002.
>> > That doesn't seem like and unreasonable prerequisite to me. What does
>> > the list think?
>>
>> That is 5 years here shortly. I think that is more than acceptable. :)
>>
>> Sincerely,
>>
>> Joshua D. Drake
>>
>>
>>
>> -- 
>>
>>    === The PostgreSQL Company: Command Prompt, Inc. ===
>> Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
>>    Providing the most comprehensive  PostgreSQL solutions since 1997
>>              http://www.commandprompt.com/
>>
>>
>>
>> -------------------------------------------------------------------------
>> Take Surveys. Earn Cash. Influence the Future of IT
>> Join SourceForge.net's Techsay panel and you'll get the chance to
>> share your
>> opinions on IT & business topics through brief surveys -- and earn cash
>> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
>> _______________________________________________
>> Ledger-smb-devel mailing list
>> ..hidden..
>> https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel
>>
> 


-- 

   === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
   Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/

References:
- WTF
  - From: Tony Fraser
- Re: WTF
  - From: Joshua D. Drake
- Re: WTF
  - From: Tony Fraser
- Re: WTF
  - From: Tony Fraser
- Re: WTF
  - From: Joshua D. Drake
- Re: WTF
  - From: Chris Travers

Prev by Date: Re: WTF
Next by Date: Is anyone working on a test suite?
Previous by thread: Re: WTF
Next by thread: Re: WTF
Index(es):
- Date
- Thread