Jump to content

Topic on Extension talk:RandomPageSettings/Flow

Dantman (talkcontribs)

This doesn't look very well coded. Even besides the whole hack of assuming that people use /wiki/$1 action urls. If it weren't for the fact that a ' gets turned into a %## by rawurlencode this extension would have a blatant open SQL injection vulnerability. This extension should be properly quoting it's user input.

It's also messed up in how it escapes for comparison against page_title:

  • Any _ in the article path will match any single character
  • Anything that gets urlencoded by rawurlencode will end up as a %## which is not the format that said text will use inside the actual database
  • Additionally because of the nature of the '%' in a like any special character will actually introduce wildcard matching into the like query.

We have a proper method to use for building LIKE queries, this extension should make use of that. It should also consider using Title::'s functionality to properly normalize titles and ignore illegal titles.

Rotsee (talkcontribs)

Thank you for pointing those things out. I'm still trying to learn how to do these things work. I'll look thrigh the Title class and see what I an find there. rotsee 08:28, 25 November 2011 (UTC)

Dantman (talkcontribs)

See these methods:

  • Title::newFromText();
  • $title->getDBkey();
  • $title->getNamespace();
  • Database::buildLike
Reply to "Bad code"