Data must be sanitized by using string format when calling db_query().

CommentFileSizeAuthor
sql_sanitizing.patch3.18 KByrocq

Comments

merlinofchaos’s picture

merlinofchaos commented
Category: bug » task
Priority: Normal » Minor

This isn't really a bug; at best it's a coding style violation, though $view->vid is guaranteed to be safe because it's always created by db_next_id(). But, sure.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented
Status: Needs review » Needs work

Those quotes surrounding placeholders are basically wrong though, since %d doesn't refer to a string:

-    db_query("DELETE from {view_sort} WHERE vid='$view->vid'");
-    db_query("DELETE from {view_argument} WHERE vid='$view->vid'");
-    db_query("DELETE from {view_tablefield} WHERE vid='$view->vid'");
-    db_query("DELETE from {view_filter} WHERE vid='$view->vid'");
-    db_query("DELETE from {view_exposed_filter} WHERE vid='$view->vid'");
+    db_query("DELETE from {view_sort} WHERE vid='%d'", $view->vid);
+    db_query("DELETE from {view_argument} WHERE vid='%d'", $view->vid);
+    db_query("DELETE from {view_tablefield} WHERE vid='%d'", $view->vid);
+    db_query("DELETE from {view_filter} WHERE vid='%d'", $view->vid);
+    db_query("DELETE from {view_exposed_filter} WHERE vid='%d'", $view->vid);
esmerel’s picture

esmerel commented
Status: Needs work » Closed (won't fix)

No updated patch submitted; no work being done on 1.x