orderby() should verify direction [DONE] and escape fields

Created on 16 June 2010, almost 15 years ago
Updated 19 March 2025, about 1 month ago

In my dream (where unicorns also roam) DBTNG goes out of its way to prevent SQL injections due to silly mistakes, or a moment of carelessness.

orderby() doesn't escape fields / aliases and does not check $direction, allowing SQL injection when developers pass usersupplied data.

idem for group by, though that needs further study.

πŸ› Bug report
Status

Needs work

Version

7.0 ⚰️

Component

database system

Created by

πŸ‡³πŸ‡±Netherlands heine

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024