4 Replies Latest reply on Jul 27, 2008 7:54 PM by (shane_mosier)

    Is ADDT build to support anti sql injection

      I was wonderering if i still have to use the mysql_real_escape_string to help againts sql injection or ADDT is build with these anti sql injection mechanism.
        • 1. Re: Is ADDT build to support anti sql injection
          Günter Schenk Level 4
          Hi,

          regardless if it´s a native Dreamweaver form or one that´s built with ADDT, it´s actually Dreamweaver which cares for that, as each & every form page has the following code inserted on top:

          --------
          if (!function_exists("GetSQLValueString")) {
          function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "")
          {
          $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;

          $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

          switch ($theType) {
          case "text":
          $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
          break;
          case "long":
          case "int":
          $theValue = ($theValue != "") ? intval($theValue) : "NULL";
          break;
          case "double":
          $theValue = ($theValue != "") ? "'" . doubleval($theValue) . "'" : "NULL";
          break;
          case "date":
          $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
          break;
          case "defined":
          $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
          break;
          }
          return $theValue;
          }
          }
          ---------

          Cheers,
          Günter Schenk
          Adobe Community Expert, Dreamweaver
          • 2. Re: Is ADDT build to support anti sql injection
            Level 1
            Günter,

            Had a quick question about this...

            Where is the function GetSQLValueString actually called? I'm assuming it's called behind the scenes. I see that it's defined in every form page, but where is this function actually referenced?

            Thanks,

            Shane
            • 3. Re: Is ADDT build to support anti sql injection
              Günter Schenk Level 4
              Hi Shane,

              yeah you´re probably right, ADDT´s forms don´t reference DW´s native "GetSQLValueString" function at all -- but the file "includes/common/KT_functions.inc.php" has a function named "KT_getRealValue", which itself is getting internally referenced in various other files, and which applies the "get_magic_quotes_gpc" function and the "KT_stripslashes" function to transaction values.

              The file "includes/common/lib/db/KT_FakeRecordset.class.php" has two functions named "getMySQLfakeRS" (for mysql versions older than 4) and "getMySQL4fakeRS" (for mysql version 4 or higher), which both apply the "mysql_escape_string" function to ADDT´s "Fake Recordsets".

              Whoa, that was tough to look up, as it´s all cluttered across various files ;-)

              Cheers,
              Günter Schenk
              Adobe Community Expert, Dreamweaver
              • 4. Re: Is ADDT build to support anti sql injection
                Level 1
                Günter,

                Thanks very much for the information and the time you spent looking for that. I was just curious because I wasn't sure that it's even necessary to have the GetSQLValueString code in the pages.

                I had found a thread on the old interakt forums that refered to a error message saying that the function GetSQLValueString was not found and the solution was that the whole GetSQLValueString function had been deleted out of the page and needed to be added back. However, I couldn't find any place that this function was called from in the ADDT code.

                Thanks again for the information.

                Shane