Re: art.gnome.org stuff

[Thomas Wood <thos gnome org>]

On 26 Jul 2005, at 1:18 am, Dave Foster wrote:

> On Tue, 2005-07-26 at 00:55 +0200, Benjamin Berg wrote:
> > So you suggest stripping all $_GET and $_POST vars on page load? This
> > would work, but also means, that the mysql queries need to be checked,
> > to prevent attacks.
>
> Well, my original intentions didn't have anything to do with anything
> going into the database.. just the display coming out.  As far as I can
> see, this can be solved by adding a stripslashes() either in the
> function I mentioned (html_parse_text or whatever) or, more
> specifically, in the backgrounds file that actually contains the 
> comment
> output.

I think what would be nice is to get a script to remove all the extra 
slashes from the database. Hopefully the data entry is now fixed, we 
just need to get the old slashes out.

> > The specific problem with comments should be fixed. I have posted a
> > patch for the last bug related to comments (was a dynamic login
> > problem).
>
> I've just joined the list, so I'm a bit new to this whole thing.  Can
> you link me to what you are referring to?  Thanks.
>
>
> > But there are still problems in account.php. I have even seen
> > a user with a \' in the user name, but don't recall exactly where it
> > was.
>
> Aye, so it's a problem in other areas as well.  There's really no
> question, database text usually HAS to be backslashed in order to be
> stored appropriately.  If all text in the DB is backslashed, then all
> instances of it coming out should have those slashes stripped out.

Again, I committed a fix for this a week or so ago, so this shouldn't 
occur again. Fixing the extra slashes that are already in the database 
is the problem now.

-Thomas