Prevent SQL Injection when using modal as parameter [#3100809]

Parameter has to be filtered or escaped twice for different purposes: Once to prevent SQL injection and once more to prevent cross site scripting (XSS) attacks. The solution is to use an appropriate filter when needed. For example, just before sending plain text to the browser or mixing plain text with HTML, escape it with check_plain.

Comment	File	Size	Author
#6	Prevent_sql_injection_with_parameter-3100809-6.patch	885 bytes	Hardik_Patel_12
#6	8.x-2.x: PHP 7.1 & MySQL 5.5, D8.7 Patch Failed to Apply
#2	Prevent_sql_injection_with_parameter-3100809-2.patch	616 bytes	Hardik_Patel_12
#2	8.x-2.x: PHP 7.1 & MySQL 5.5, D8.7 3 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

13 December 2019 at 08:09

Hardik_Patel_12 created an issue. See original summary.

Comment #2

Hardik_Patel_12 CreditAttribution: Hardik_Patel_12 at QED42 commented 13 December 2019 at 08:10

File	Size
Prevent_sql_injection_with_parameter-3100809-2.patch	616 bytes
8.x-2.x: PHP 7.1 & MySQL 5.5, D8.7 3 pass

Kindly apply and review patch

Comment #3

Hardik_Patel_12 CreditAttribution: Hardik_Patel_12 at QED42 commented 13 December 2019 at 08:10

Status:

Active

» Needs review

Comment #4

renatog

Campinas

CreditAttribution: renatog at CI&T commented 13 December 2019 at 11:14

Status:

Needs review

» Reviewed & tested by the community

Makes sense.

We'll test but really looks good

Comment #5

renatog

Campinas

CreditAttribution: renatog at CI&T commented 13 December 2019 at 16:17

Status:

Reviewed & tested by the community

» Needs work

We get this error:

Error: Call to undefined function Drupal\modal_page\check_plain() in Drupal\modal_page\ModalPage->getModalToShow()

Comment #6

Hardik_Patel_12 CreditAttribution: Hardik_Patel_12 at QED42 commented 16 December 2019 at 04:47

Status:

Needs work

» Needs review

File	Size
Prevent_sql_injection_with_parameter-3100809-6.patch	885 bytes
8.x-2.x: PHP 7.1 & MySQL 5.5, D8.7 Patch Failed to Apply

1 file was hidden/shown/deleted

File	Size
Prevent_sql_injection_with_parameter-3100809-2.patch	616 bytes
8.x-2.x: PHP 7.1 & MySQL 5.5, D8.7 3 pass

Resolved replaced check plain with Html::escape kindly review patch

Comment #7

renatog

Campinas

CreditAttribution: renatog at CI&T commented 16 December 2019 at 11:45

It really looks good!

We'll test! Thanks a lot

Comment #8

renatog

Campinas

CreditAttribution: renatog at CI&T commented 16 December 2019 at 15:29

Status:

Needs review

» Reviewed & tested by the community

Tested and really works well

Comment #9

16 December 2019 at 15:29

RenatoG committed ff2a4fb on 8.x-2.x authored by Hardik_Patel_12

Issue #3100809 by Hardik_Patel_12, RenatoG: Prevent SQL Injection when...

Comment #10

renatog

Campinas

CreditAttribution: renatog at CI&T commented 16 December 2019 at 15:29

Status:

Reviewed & tested by the community

» Fixed

Committed to the dev branch.

Thanks a lot!

Best,

Comment #11

30 December 2019 at 15:34

Status:

Fixed

» Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

Prevent SQL Injection when using modal as parameter

Comments

Comment #1

Comment #2

Comment #3

Comment #4

Comment #5

Comment #6

Comment #7

Comment #8

Comment #9

Comment #10

Comment #11

Thank you to these Drupal contributors

News items

Our community

Documentation

Drupal code base

Governance of community