All table data injected via a variable should be passed to db_escape_table(), and all values should be passed to db_escape_string(). Even though the data is "trusted" and in most cases numeric, it wouldn't hurt to be defensive here.

Comments

cpliakas’s picture

Status: Active » Fixed

Resolved in commit a6a5d2c.

Note that the initial code was copied from the Workflow module, so these changes should probably be posted there as well.

cpliakas’s picture

Follow up commit at 031e85f. Casting gids to integers is better than using db_escape_string().

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.