bradymiller wrote on Tuesday, January 07, 2014:
Hi ZH,
I am assuming this is to answer my questions above, which were sort of trick questions
1.Regarding your security document above, how do you plan to secure the following from sql injection:
SELECT * FROM $variable_table_name WHERE ‘value’=? ORDER BY $variable_direction LIMIT $variable_limit
(note there are functions within openemr database engine that do these things already)
I am asking you how you are going to escape the $variable_table_name, $variable_direction and $variable_limit variables in the above sql statement. You can’t use parameters there; note this has been dealt with in openemr’s current database scheme/functions.
2.Are you able to insert a new sql row of data and correctly return the insert row id?
Ensure your log function insert call does not replace the id. This was a super annoying bug that has been dealt with in openemr’s current database scheme/functions and was operating system and php version dependent (for example, this is why openemr did not used to work on newer xampp versions in the past).
3.Is your log function doing the same thing as the original log function in openemr?
Your log function is 8 lines and the one in openemr now is using a library of code about 500 lines long…
library/log.inc
You are missing md5sums, ATNA connections, categorization, etc…
Additionally, just by looking at the code, your method of recreating the sql queries that use binding is not in the same format and will break if there are any ‘?’ symbols in the data fields.
Please note this is only the beginning of converting to another database engine…
Regarding security, Zend does give you tools in the security aspect, but important to note that there seems to be nothing there that does not yet already exist in openemr’s library, except for the javascript and css escaping functions, which would very useful to analyze and also get it within openemr’s native codebase at some point for non-zend stuff.
-brady
OpenEMR