cfapress wrote on Tuesday, July 21, 2009:
To All Developers —
I know this topic has come up in the past but I can’t recall any clear resolution. Correct me if I’m wrong.
In an effort to prevent SQL injection attacks we need to clean up all SQL calls. One way to do that is by using mysql_real_escape_string on all variables in WHERE clauses. This function is already used in a function within <oemr>/libaray/sql.inc. So there’s no worry about using a function that’s too new.
Even better, is to make a wrapper function in sql.inc for the ft_dbsql and ft_xss functions in <oemr>/library/classes/Filtreatment_class.php
I believe that more developers are familiar with looking for file named "sql"-something-or-other and Filtreatment_class for filtering malicious SQL stuff.
Thoughts and comments are quite welcome.
Jason