Use mysql_real_escape_string function on all untrusted data

Project:OpenETD - Rutgers Electronics Thesis and Dissertations Platform
Version:1.0.0-beta
Component:Code
Category:bug report
Priority:normal
Assigned:sdellis
Status:closed
Description

Previously add_slashes() was used, but while escaping quotes, the app is still vulnerable to SQL Injection hacks.

Comments

#1

Status:active» fixed

This is now fixed. Eventually, all queries should be run through a query class to make it easier to apply changes in the future.

#2

Status:fixed» closed

Back to top