Discuss: MyBB 1.2.4 Released - Important Security Update
#56
rillig Wrote:I wonder about the quality of the provided patch:

* Why should a function (get_ip) that has absolutely nothing to do with database access use the function $db->escape_string?
* Why do you leave space characters in the IP address?
* Why is escape_string necessary at all, after you have filtered out everything except [0-9. ]?

Roland

Looking over the REGEX, it allows for digits and decimal points to remain (everything else is replaced by the empty string) - nothing that merits being escaped as long as it's treated as a string.


Messages In This Thread
RE: Discuss: MyBB 1.2.4 Released - Important Security Update - by laie_techie - 2007-04-04, 07:19 PM

Forum Jump:


Users browsing this thread: 1 Guest(s)