Closed (works as designed)
Project:
Entity API
Version:
7.x-1.0-rc2
Component:
Code - misc
Priority:
Critical
Category:
Bug report
Assigned:
Unassigned
Reporter:
Created:
31 Aug 2012 at 09:34 UTC
Updated:
5 Sep 2012 at 06:37 UTC
This is really a supporive module, but the IBM AppScan is showing SQL Injection in entity.features.inc file at line No. 112 i.e.
$export .= addcslashes(entity_export($this->type, $entity, ' '), '\\\' ');
Plz help how to cop with it.
Thanks
Comments
Comment #1
prakashsingh commentedI was actually using the Organic Groups module and OG is dependent on Entity API, but now i commented out the above line and everything goes fine.
I just want to know what impact this line makes, would i ever have any difficulty in future by doing so.
Regards
Comment #2
fagoDo you see any sql at this line?
Comment #3
prakashsingh commentedNo, no sql at all, the function that covers this line is actually implementing hook_features_export_render().
I think this function will only be called at the time of features export, which i am not supposed to do in future also.
So, does it mean, it is safe what i have done.
Regards