E-mail
Preventing SQL Injection Hacks
To avoid SQL injection hacks, we should validate and properly escape
all strings going into SQL queries. I've added a simple utility
(CRM_Utils_Type::escape()) which takes in a variable and an expected
type. If the variable matches against the expected type, its value is
returned (escaped, if necessary). Otherwise, it traps to
CRM_Core_Error::fatal().
We should use this function whenever making direct queries with form
values, but it is not necessary when going through the DAO interface.
Here's a quick example:
CRM/Contact/BAO/Relationship.php: checkDuplicateRelationship(...)
This code should be converted to the following:
However, we don't need to change it for the following case:
Note that this is only necessary when the values are coming from a form (or possibly SOAP/API calls).
