[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: WTF

In many cases I agree.  For this application, I think it is the wrong solution.

I don't think we should trust any user input enough to allow it to
arbitrarily specify any non-white-listed resource.  1.2 will implement
substantive whitelisting for edited files, and we ought to whitelist
user-agent-supplied db identifiers as well.

I don't have any issue with quote_identifier.  I just think that in
*this* case, whitelisting is more appropriate.  For general purpose db
utils, quote_identifier is more appropriate.

And I verified that this value is whitelisted (but this only affects
"$form->{vc}_id" and not $form->{"$form->{vc}_id"}.

Best Wishes,
Chris Travers

On 10/2/06, Joshua D. Drake <..hidden..> wrote:


> DBI->quote_identifier(...) was added in DBI 1.21, released Feb 2002.
> That doesn't seem like and unreasonable prerequisite to me. What does
> the list think?

That is 5 years here shortly. I think that is more than acceptable. :)

Sincerely,

Joshua D. Drake



--

   === The PostgreSQL Company: Command Prompt, Inc. ===
Sales/Support: +1.503.667.4564 || 24x7/Emergency: +1.800.492.2240
   Providing the most comprehensive  PostgreSQL solutions since 1997
             http://www.commandprompt.com/



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Ledger-smb-devel mailing list
..hidden..
https://lists.sourceforge.net/lists/listinfo/ledger-smb-devel