Siren #11: incorrect use of db_escape_string() [#199214]

db_escape_string() should use for escape user query argument inputs. $ts['sql'] is column name, where $ts['sort'] are ASC or DESC. They shouldn't use db_escape_string().

Comment	File	Size	Author
#2	incorrect_db_escape_string-0.2.patch	776 bytes	hswong3i
	incorrect_db_escape_string-0.1.patch	775 bytes	hswong3i

Comments

Comment #1

hswong3i commented 10 December 2007 at 05:01

Title:	incorrect use of db_escape_string()	» Siren #11: incorrect use of db_escape_string()
Assigned:	Unassigned	» hswong3i

I mark this into my personal research project issue.

Comment #2

hswong3i commented 19 December 2007 at 06:55

Status	File	Size
new	incorrect_db_escape_string-0.2.patch	776 bytes

Patch reroll via latest CVS HEAD. Test without ill effect.

Comment #3

hswong3i commented 20 December 2007 at 02:43

Priority:

Normal

» Critical

Just hope to promote if we are able to fix this within D6 RC1.

Comment #4

gábor hojtsy

he/him

Hungarian

Hungary

commented 20 December 2007 at 09:03

Priority:	Critical	» Normal
Status:	Needs review	» Closed (duplicate)

This still needs to be sanitized. Feel free to merge with http://drupal.org/node/198856 as it is about %s, which is exactly a db_escape_string() just as with here, and even with column names as there.

Comment #5

hswong3i commented 20 December 2007 at 09:41

merged

Siren #11: incorrect use of db_escape_string()

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

News items

Our community

Documentation

Drupal code base

Governance of community