OK, I did the digging and see that /common/lib/Misc.php has the function sanitize_data which protects us from any of the following strings in just about any text field.
#injection sql $input = str_ireplace('HAVING', '', $input); $input = str_ireplace('UNION', '', $input); $input = str_ireplace('SUBSTRING', '', $input); $input = str_ireplace('ASCII', '', $input); $input = str_ireplace('SHA1', '', $input); $input = str_ireplace('MD5', '', $input); $input = str_ireplace('SCRIPT', '', $input); $input = str_ireplace('ROW_COUNT', '', $input); $input = str_ireplace('SELECT', '', $input); $input = str_ireplace('UPDATE', '', $input); #$input = str_ireplace('DELETE', '', $input);
Actually, without mysql_real_escape_string() it could mean a lot of additional code to protect against SQL injection. I guess this approach is a good compromise.
Keep up the excellent work.
Mark
|