I've got to reject this. There has been absolutely no attempt to protect this application from SQL injection.
For example: function check_privacy($module, $table, $action, $id='', $p_uid='') { ... $query = "SELECT $field_pri, $field_uc FROM $table WHERE $field_id = '$id'"; $obm_q = new DB_OBM; $obm_q->query($query);
... $params = get_list_params(); ... if (! check_privacy($module, "List", $action, $params["list_id"], $obm["uid"])) {
where get_list_params is virtually untouched $_POST values.
Before this gets further review, all database use should be correctly parameterized. And it's not a short list, I'm afraid: $ fgrep -Ri -- '->query($query);' . | wc -l 977
I've got to reject this. There has been absolutely no attempt to protect this application from SQL injection.
For example: $module, $table, $action, $id='', $p_uid='') { q->query( $query) ;
function check_privacy(
...
$query = "SELECT $field_pri, $field_uc FROM $table WHERE $field_id = '$id'";
$obm_q = new DB_OBM;
$obm_
... $module, "List", $action, $params["list_id"], $obm["uid"])) {
$params = get_list_params();
...
if (! check_privacy(
where get_list_params is virtually untouched $_POST values.
Before this gets further review, all database use should be correctly parameterized. And it's not a short list, I'm afraid:
$ fgrep -Ri -- '->query($query);' . | wc -l
977