[Phpmyadmin-devel] Issue with event editing
Ayush Chaudhary
ayushchd at gmail.com
Sun Aug 25 22:09:37 CEST 2013
Hi,
On Monday, 26 August 2013 at 12:20 AM, Rouslan Placella wrote:
> On 08/25/2013 10:14 AM, Ayush Chaudhary wrote:
> > Hi,
> >
> > I was writing Selenium tests for editing an event. While creating an
> > event, I created it with the clause 'EVERY 2 MINUTE_SECOND' and it
> > worked fine. However, MySQL stores it as '0:2', so when I go to edit the
> > event, the default value for interval field is '0:2', and then when I
> > submit the edit form, our code takes the intval from 0:2 and forms the
> > query 'EVERY 0 MINUTE_SECOND' and this creates an error.
> >
> > Is there a specific reason why intval is being used in
> > rte_events.lib.php on Line 585? If not, should I remove that and issue a
> > pull request?
> >
>
>
> IIRC, intval was used there to sanitize user input. If you remove it,
> you'll need to add something else to avoid sql injections.
>
>
Shouldn't addslashes be fine? And moreover, since the query will be executed via PMA_DatabaseInterface class, shouldn't that alone take care of sanitisation against sql injection?
>
> Bye,
> Rouslan
>
> ------------------------------------------------------------------------------
> Introducing Performance Central, a new site from SourceForge and
> AppDynamics. Performance Central is your source for news, insights,
> analysis and resources for efficient Application Performance Management.
> Visit us today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Phpmyadmin-devel mailing list
> Phpmyadmin-devel at lists.sourceforge.net (mailto:Phpmyadmin-devel at lists.sourceforge.net)
> https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20130826/8a8449e1/attachment.html>
More information about the Developers
mailing list