Posted by kiamlaluno on July 27, 2008 at 1:46pm
Jump to:
| Project: | Blog Add-ons |
| Version: | 6.x-1.1 |
| Component: | Code |
| Category: | bug report |
| Priority: | minor |
| Assigned: | Chajecki |
| Status: | active |
Issue Summary
Like the Drupal documentation suggests, any SQL query should not pass the parameters directly in the query, but it should use placeholders.
In example, a query like:
<?php
db_query("SELECT * from {table} WHERE field = ". $number);
?>should be rewritten in:
<?php
db_query("SELECT * from {table} WHERE field = %d", $number);
?>This would also prevent any XSS attack.
Comments
#1
#2
Thanks. Very good general comment and I will fix the problem. However if you read the code you will realize that there was no risks of attacks in those cases.
Again, will be fix in new release that will come in a few day.
#3
There would not be any risk of attacks with the actual code, as the value used doesn't come from any user's input.
I think it's generally better to use placeholders, just to prevent problems when the code is changed.
The "issue" is very minimal, and doesn't even require a normal priority; I am sorry I didn't set the right priority (I keep to forget there is the possibility to change it).