Database functions should sanitize before submitting their queries.

[GoogleCodeExporter]

Enhancement name:
Sanitize arguments in database functions.

Functionality:
Use mysql_real_escape_string() in database functions on all values before 
attempting to insert into the database. A lot of copy-pasting that long 
function name.

Without it, entering comments containing apostrophes (single-quotes) or 
double-quotes (double-apostrophes) prematurely terminates the SQL statement and 
opens the database up to SQL injection.

Original issue reported on code.google.com by niceo...@gmail.com on 7 Nov 2012 at 6:21

[GoogleCodeExporter]

Original comment by bkmackellar on 19 Nov 2012 at 3:52

• Added labels: Priority-High
• Removed labels: Priority-Critical

[GoogleCodeExporter]

Is this getting any attention? It's not a *real* showstopper for testing 
purposes, but I think it's pretty important, and it seems to still affect at 
least the newProfile.php class. It's not my expertise, but right now I am (and 
have been) floating with no issues, so I could try to tackle it if no progress 
has been made.

Original comment by niceo...@gmail.com on 3 Dec 2012 at 4:02