Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Using $_GET['q'] directly in database statements is confusing. Instead you should use normal dbtng parameters.
Comment | File | Size | Author |
---|---|---|---|
#1 | fast_404-2123775-2.patch | 3.37 KB | skilip |
Comments
Comment #1
skilip CreditAttribution: skilip commentedComment #2
hefox CreditAttribution: hefox commentedComment #3
hefox CreditAttribution: hefox commentedrepublishing
Comment #4
soyarma CreditAttribution: soyarma commentedI researched this with the drupal security team and the ? placeholder does do escaping via the PDO library. I also attempted to do injections and was unsuccessful, so its' been flagged as not a security issue.
Comment #5
soyarma CreditAttribution: soyarma commentedComment #6
gregglesfilter_xss is inappropriate for filteirng a query parameter.
The last comments are technically accurate about the original focus of this issue, but the ignore the broader DXWTF of using unnamed parameters.
Comment #8
adammalone