Usernames, homepagenames and homepage URLs cannot be output as is.

  $member_comments[] = "<a href=\"$cb_record->homepage\" target=\"_blank\">$cb_record->homepagename</a>";

// and
  "Home page: <a href=\"$account->homepage\" target=\"_blank\">$account->homepagename</a>";

$account->homepage must be passed through check_url, $account->homepagename through check_plain. You should consider using t() and pass $account->homepagename via an @placeholder. Not escaping these values allows users to post code.

For more information, please read http://acko.net/blog/safe-string-theory-for-the-web and http://drupal.org/node/28984.

foreach ($process_node_types as $key => $value) {
  $process_node_types[$key] = "'$value'";
}
$process_node_type_list = implode(',', $process_node_types);
// knock it out
$qstr = 'UPDATE {node} SET comment = 1 WHERE nid IN
  (SELECT nid FROM {node_comment_statistics}
   WHERE last_comment_timestamp <= UNIX_TIMESTAMP() - 60*60*24*%d)' . ($process_node_type_list ? "AND type IN ($process_node_type_list)" : '');

I doubt there's an exploitable vulnerability here, but please use db_placeholders to generate the amount of placeholders you require, then pass the values in one array to db_query. idem for _comment_commander_node_select().

Comments

Prometheus6’s picture

Assigned: Unassigned » Prometheus6
Priority: Critical » Normal

The critical part is fixed.

Prometheus6’s picture

Status: Active » Closed (fixed)

The non-critical part (using db_placeholder) is complete.