Using $_GET['q'] directly in database statements is confusing. Instead you should use normal dbtng parameters.

CommentFileSizeAuthor
#1 fast_404-2123775-2.patch3.37 KBskilip
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

skilip’s picture

Status: Active » Needs review
FileSize
3.37 KB
hefox’s picture

Issue summary: View changes
hefox’s picture

republishing

soyarma’s picture

I researched this with the drupal security team and the ? placeholder does do escaping via the PDO library. I also attempted to do injections and was unsuccessful, so its' been flagged as not a security issue.

soyarma’s picture

Status: Needs review » Closed (won't fix)
greggles’s picture

Title: Escape $_GET['q'] with filter_xss() » Use normal db placeholders to avoid DXWTF
Priority: Critical » Normal
Issue summary: View changes
Status: Closed (won't fix) » Needs work
Issue tags: -Security

filter_xss is inappropriate for filteirng a query parameter.

The last comments are technically accurate about the original focus of this issue, but the ignore the broader DXWTF of using unnamed parameters.

  • typhonius committed b7b377d on 7.x-1.x
    Issue #2123775 by skilip: Use normal db placeholders to avoid DXWTF
    
adammalone’s picture

Status: Needs work » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.