[geeklog-devel] Filtering in GL2

Dirk Haun dirk at haun-online.de
Wed Dec 15 16:21:09 EST 2004


>Quote handling in GL2 should be transparent to the developer. Recall 
>that all custom SQL goes into a named query file and that the SQL that 
>goes in there should use prepared SQL as opposed to the kind of SQL 
>found in 1.3.x.

What about SQL injection attempts then?

There's several sorts of filtering that have to be done, and ideally (I
think), they should be handled by different "entities" (for lack of a
better word), as opposed to the all-in-one approach that 1.3's
COM_applyFilter  implements.

I.e. an SQL request should be parsed for injections / malformed SQL by
the entity that handles SQL (would that be Propel then or Creole?).

JavaScript, unwanted HTML, etc. should be handled by the module that
handles the post (or whatever data is being processed), as it may be
acceptable for one module, but unacceptable for another.

bye, Dirk


More information about the geeklog-devel mailing list