From d9cedd79fc4c25be4366e533c89843bee94e0995 Mon Sep 17 00:00:00 2001 From: steinm Date: Fri, 2 Dec 2011 09:13:07 +0000 Subject: [PATCH] - no more protection against sql injection in sanitizeString() (it's been done when the sql statements are put together) --- inc/inc.Utils.php | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/inc/inc.Utils.php b/inc/inc.Utils.php index 9d567b17c..15e59e640 100644 --- a/inc/inc.Utils.php +++ b/inc/inc.Utils.php @@ -54,9 +54,12 @@ function sanitizeString($string) { /* {{{ */ $string = stripslashes($string); } - $string = str_replace("\\", "\\\\", $string); - $string = str_replace("--", "\-\-", $string); - $string = str_replace(";", "\;", $string); + // The following three are against sql injection. They are not + // needed anymore because strings are quoted propperly when saved into + // the database. +// $string = str_replace("\\", "\\\\", $string); +// $string = str_replace("--", "\-\-", $string); +// $string = str_replace(";", "\;", $string); // Use HTML entities to represent the other characters that have special // meaning in SQL. These can be easily converted back to ASCII / UTF-8 // with a decode function if need be.