Closed (fixed)
Project:
OG Workflow
Version:
6.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Task
Assigned:
Unassigned
Reporter:
Created:
8 Sep 2011 at 00:41 UTC
Updated:
22 Sep 2011 at 01:11 UTC
All table data injected via a variable should be passed to db_escape_table(), and all values should be passed to db_escape_string(). Even though the data is "trusted" and in most cases numeric, it wouldn't hurt to be defensive here.
Comments
Comment #1
cpliakas commentedResolved in commit a6a5d2c.
Note that the initial code was copied from the Workflow module, so these changes should probably be posted there as well.
Comment #2
cpliakas commentedFollow up commit at 031e85f. Casting gids to integers is better than using db_escape_string().