This code uses raw $_GET parameters in sequel queries without escaping them creating a hole for a potential SQL injection exploit.

https://cgit.drupalcode.org/simple_glossary/tree/src/Controller/Glossary...

if((isset($_GET['keyword'])) && (!empty($_GET['keyword'])) ) {
			$keywordLength = strlen($_GET['keyword']);
			if (( $keywordLength == 1 ) && (preg_match("/^[a-zA-Z]$/", strtoupper($_GET['keyword'])))) {
				$whereCondition  = "where (SUBSTR(term,1,1) = '".$_GET['keyword']."') ";  
			} else {
				$whereCondition  =  "where (term LIKE '%".$_GET['keyword']."%')"; 
			}
		} else if((isset($ltr)) && (!empty($ltr)) ) {
			$whereCondition  = "where (SUBSTR(term,1,1) = '".$ltr."')";  
		} else {
			$whereCondition  = "";  
		}
		$result  = db_query("SELECT * FROM simple_glossary_content ".$whereCondition." order by term ASC");

You should be using the Request object to inspect parameters and/or filtering/escaping them. You should also use query placeholders.

See:

Comments

kevinquillen created an issue. See original summary.

himanshu_batra’s picture

himanshu_batra commented
Status: Active » Fixed

Fixed issue Use proper SQL querying

kevinquillen’s picture

kevinquillen commented
Status: Fixed » Needs work

This is not fixed - no code has been changed in the repository.

himanshu_batra’s picture

himanshu_batra commented
Status: Needs work » Needs review
himanshu_batra’s picture

himanshu_batra commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.