orderby() should verify direction [DONE] and escape fields

Created on 16 June 2010, almost 15 years ago
Updated 19 March 2025, 18 days ago

In my dream (where unicorns also roam) DBTNG goes out of its way to prevent SQL injections due to silly mistakes, or a moment of carelessness.

orderby() doesn't escape fields / aliases and does not check $direction, allowing SQL injection when developers pass usersupplied data.

idem for group by, though that needs further study.

πŸ› Bug report
Status

Needs work

Version

7.0 ⚰️

Component

database system

Created by

πŸ‡³πŸ‡±Netherlands heine

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

  • Needs backport to D7

    After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.

Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.71.5 2024