Closed Paku- closed 9 years ago
Reformat is automatic so sometimes it does make bad choices - but mostly helps :) It would be better if I read what I am writing first .... 'No code changes. Just reformatted all for nicer look' << is it better ?
tell me more, do not copy
Only variables put through parameters are sanitized, ie ':id' or '?'. $id is still being sanitized, but $field is no longer safe from mysql injection.
Bur field is not a part of PDO processing. As it's a part of base SQL query u are building. You have to take care for it yourself.
I think it was checked in mysqli version.
Pzdr, Paweł
Od: Matthew Motzmailto:notifications@github.com Wysłano: 2015-01-16 12:47 Do: linwiz/Raspberry-Pi-Web-GPIOmailto:Raspberry-Pi-Web-GPIO@noreply.github.com DW: Pakumailto:pawel@4x4.org.pl Temat: Re: [Raspberry-Pi-Web-GPIO] the same way (#42)
Only variables put through parameters are sanitized, ie ':id' or '?'. $id is still being sanitized, but $field is no longer safe from mysql injection.
Reply to this email directly or view it on GitHub: https://github.com/linwiz/Raspberry-Pi-Web-GPIO/pull/42#issuecomment-70242993
the prepared statement does take care of sanitization, but it does not work because of this specific case. we need to get rid of the 'NOT' part of the $field=NOT :field. we need to find another way to do it. I am not sure of the solution yet.
I appreciate that you are trying to help but I do not like the changes made in bf441927d5c6208a70e9ee687f1bef7fbeccb277
So drop it
Pzdr, Paweł
Od: Matthew Motzmailto:notifications@github.com Wysłano: 2015-01-16 13:02 Do: linwiz/Raspberry-Pi-Web-GPIOmailto:Raspberry-Pi-Web-GPIO@noreply.github.com DW: Pakumailto:pawel@4x4.org.pl Temat: Re: [Raspberry-Pi-Web-GPIO] the same way (#42)
I appreciate that you are trying to help but I do not like the changes made in bf441927d5c6208a70e9ee687f1bef7fbeccb277
Reply to this email directly or view it on GitHub: https://github.com/linwiz/Raspberry-Pi-Web-GPIO/pull/42#issuecomment-70244500
Added the way to finish it but in my opinion it is to big gun for this problem ... like Rpi. You may add select and go this way
$field == pinNumberBCM, not a value like 0 or 1, so it cannot equal 0 or 1.
Sure... So you have to get the value like 0/1 then set it negative. As I wrote. I am not able to do it as I am workin on other project in parallel. You have the idea rest is just typing
Pzdr, Paweł
Od: Matthew Motzmailto:notifications@github.com Wysłano: 2015-01-16 13:34 Do: linwiz/Raspberry-Pi-Web-GPIOmailto:Raspberry-Pi-Web-GPIO@noreply.github.com DW: Pakumailto:pawel@4x4.org.pl Temat: Re: [Raspberry-Pi-Web-GPIO] the same way (#42)
$field == pinNumberBCM, not a value like 0 or 1, so it cannot equal 0 or 1.
Reply to this email directly or view it on GitHub: https://github.com/linwiz/Raspberry-Pi-Web-GPIO/pull/42#issuecomment-70247880
it's the same logic, you have to make it "manually" . PDO works only for SQL parameters /WHERE xxx = :param / take care for commented out PDO setting - forgot to remove it.