🕸Fergus Duniho wrote on Tue, Apr 24, 2018 03:18 PM UTC:
I just wrote another function called valid_column_name(). It takes a table name and a column name as its two arguments, and it returns whether the column name is the name of a column in that table. To avoid redundancy, it does not check whether the table name is valid. This should have already been done with valid_table_name. Using these two functions inside of table_row(), table_rows(), and get_field(), these functions for reading the database should now be immune to SQL injection from user input.
I just wrote another function called valid_column_name(). It takes a table name and a column name as its two arguments, and it returns whether the column name is the name of a column in that table. To avoid redundancy, it does not check whether the table name is valid. This should have already been done with valid_table_name. Using these two functions inside of table_row(), table_rows(), and get_field(), these functions for reading the database should now be immune to SQL injection from user input.