Posted by AjK on February 27, 2008 at 4:50pm
| Project: | Drupal core |
| Version: | 7.x-dev |
| Component: | node system |
| Category: | task |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | closed (fixed) |
Issue Summary
node.module:521 - node_load()
<?php
foreach ($param as $key => $value) {
$cond[] = 'n.'. db_escape_string($key) ." = '%s'";
$arguments[] = $value;
}
?>As $key is not used in a string context (surrouned by ''),
db_escape_string is useless. (initial report by Heine).
Comments
#1
And the patch.
#2
As per originating issue, changing to RTBC.
#3
Applicable to 5.x and 7.x as well. Moving back to 5.x but also need to be committed to 7.x then.
#4
(I committed to 6.x.).
#5
For the record, the initial report was by Stefan Esser, Mayflower & Zend in an audit commissioned by Die Zeit.
#6
patch for D7, from http://drupal.org/node/228233
#7
Committed to 5.x.
#8
This no longer applies, but it's going to be obsolete after #225450: Database Layer: The Next Generation gets in anyway.
#9
Since it was RTBC before, this is a re-roll, and this is not a huge patch, marking RTBC again
#10
Committed to CVS HEAD. Thanks!
#11
Automatically closed -- issue fixed for two weeks with no activity.