Escaping SQL parameters
-
We're moving stuff to PHP 7 and I have to update some code I wrote years ago:
$status_list_escaped = array_map('mysql_real_escape_string', $status_list); $status_str = "('".join("','", $status_list)."')"; $predicates[] = 'status IN '.$status_str;
Isn't it nice how I tried to protect from SQL injection but failed utterly? The only places where this code is called from use a curated list to build
$status_list
so thankfully this was never a vector for SQL injection. I wonder what else lurks in this codebase though.
-
@gleemonk I don't know PHP enough to see why exactly this fails, could you please enlighten me?
-
@Medinoc
$status_list_escaped
, which contains the escaped values, is never used.
-
@gleemonk Even "years ago" PDO existed.
-
TRWTF is that you are not using a code analysis tool before throwing this shit onto people.
@blakeyrat said in Escaping SQL parameters:
@gleemonk Even "years ago" PDO existed.
And that.
-
@PleegWat I didn't even notice that
-
@loopback0 I wouldn't have either if @gleemonk hadn't told us there was a bug.
-
There is a reason why Visual Studio will try to find "any variables that has been write but never read" and generates warning.
But of course that kind of checking won't help if there is subsequent call that should be using the escaped variable but not using it.