Closed Paku- closed 9 years ago
Paku-
commented
9 years ago Reformat is automatic so sometimes it does make bad choices - but mostly helps :) It would be better if I read what I am writing first .... 'No code changes. Just reformatted all for nicer look' << is it better ?
Paku-
commented
9 years ago tell me more, do not copy
linwiz
commented
9 years ago Only variables put through parameters are sanitized, ie ':id' or '?'. $id is still being sanitized, but $field is no longer safe from mysql injection.
Paku-
commented
9 years ago Bur field is not a part of PDO processing. As it's a part of base SQL query u are building. You have to take care for it yourself.
I think it was checked in mysqli version.
Pzdr, Paweł
Od: Matthew Motzmailto:notifications@github.com Wysłano: 2015-01-16 12:47 Do: linwiz/Raspberry-Pi-Web-GPIOmailto:Raspberry-Pi-Web-GPIO@noreply.github.com DW: Pakumailto:pawel@4x4.org.pl Temat: Re: [Raspberry-Pi-Web-GPIO] the same way (#42)
Only variables put through parameters are sanitized, ie ':id' or '?'. $id is still being sanitized, but $field is no longer safe from mysql injection.
Reply to this email directly or view it on GitHub: https://github.com/linwiz/Raspberry-Pi-Web-GPIO/pull/42#issuecomment-70242993
linwiz
commented
9 years ago the prepared statement does take care of sanitization, but it does not work because of this specific case. we need to get rid of the 'NOT' part of the $field=NOT :field. we need to find another way to do it. I am not sure of the solution yet.
linwiz
commented
9 years ago I appreciate that you are trying to help but I do not like the changes made in bf441927d5c6208a70e9ee687f1bef7fbeccb277
Paku-
commented
9 years ago So drop it
Pzdr, Paweł
Od: Matthew Motzmailto:notifications@github.com Wysłano: 2015-01-16 13:02 Do: linwiz/Raspberry-Pi-Web-GPIOmailto:Raspberry-Pi-Web-GPIO@noreply.github.com DW: Pakumailto:pawel@4x4.org.pl Temat: Re: [Raspberry-Pi-Web-GPIO] the same way (#42)
I appreciate that you are trying to help but I do not like the changes made in bf441927d5c6208a70e9ee687f1bef7fbeccb277
Reply to this email directly or view it on GitHub: https://github.com/linwiz/Raspberry-Pi-Web-GPIO/pull/42#issuecomment-70244500
Paku-
commented
9 years ago Added the way to finish it but in my opinion it is to big gun for this problem ... like Rpi. You may add select and go this way
linwiz
commented
9 years ago $field == pinNumberBCM, not a value like 0 or 1, so it cannot equal 0 or 1.
Paku-
commented
9 years ago Sure... So you have to get the value like 0/1 then set it negative. As I wrote. I am not able to do it as I am workin on other project in parallel. You have the idea rest is just typing
Pzdr, Paweł
Od: Matthew Motzmailto:notifications@github.com Wysłano: 2015-01-16 13:34 Do: linwiz/Raspberry-Pi-Web-GPIOmailto:Raspberry-Pi-Web-GPIO@noreply.github.com DW: Pakumailto:pawel@4x4.org.pl Temat: Re: [Raspberry-Pi-Web-GPIO] the same way (#42)
$field == pinNumberBCM, not a value like 0 or 1, so it cannot equal 0 or 1.
Reply to this email directly or view it on GitHub: https://github.com/linwiz/Raspberry-Pi-Web-GPIO/pull/42#issuecomment-70247880
it's the same logic, you have to make it "manually" . PDO works only for SQL parameters /WHERE xxx = :param / take care for commented out PDO setting - forgot to remove it.