Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize tag, item, and mod inputs #54

Merged
merged 2 commits into from
Aug 14, 2017
Merged

Sanitize tag, item, and mod inputs #54

merged 2 commits into from
Aug 14, 2017

Conversation

elifoster
Copy link
Member

@elifoster elifoster commented Aug 11, 2017
edited
Loading

Close #53.

@Alexia Could you review this and perhaps double check that I haven't missed any areas where input sanitation is needed?

xbony2
xbony2 reviewed Aug 11, 2017
View reviewed changes
special/OreDictEntryManager.php Outdated
if ($result == false) {
return -2;
}
return $result;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is ? : a thing in PHP?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also loosely checking against false in PHP, while rare, could end in disaster.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Come to think about it, in Java the syntax would be !$results although I suspect that's not a possible thing in PHP.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

return ($result === false ? -2 : $result);

Copy link
Member Author

@elifoster elifoster Aug 14, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Alexia Is that check loose? I thought === false would be "loose" while == false would be strictly checking against false.

OreDict#addEntry returns either false or the entry ID. Is this a poor way to handle this?

Edit: Never mind, Peter corrected me. I had it flipped around in my head.

@Alexia
Copy link
Contributor

Alexia commented Aug 11, 2017

This seems fine to me.

@elifoster elifoster merged commit b147ab9 into master Aug 14, 2017
@elifoster elifoster deleted the sanitize branch August 14, 2017 17:39
elifoster added a commit that referenced this pull request Sep 5, 2020
@elifoster
editEntry: Use sanitized inputs in SQL UPDATE
0ab7aba 
We sanitized the inputs to make sure there are no bad (empty, invalid string) values, but then use the provided inputs rather than the sanitized inputs in the SQL query. This was introduced in #54 and was exposed in the API as seen in #77. Close #77.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xbony2 xbony2 xbony2 left review comments

@Alexia Alexia Alexia left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@elifoster @Alexia @xbony2