[buddypress-trac] [BuddyPress] #1284: BP_Groups_Group::get_all method generates bad mysql request
buddypress-trac at lists.automattic.com
buddypress-trac at lists.automattic.com
Wed Nov 25 00:58:36 UTC 2009
#1284: BP_Groups_Group::get_all method generates bad mysql request
----------------------+-----------------------------------------------------
Reporter: Fairweb | Owner: MrMaz
Type: defect | Status: reopened
Priority: major | Milestone: 1.1.3
Resolution: | Keywords: has-patch group mysql status public request
----------------------+-----------------------------------------------------
Changes (by MrMaz):
* status: closed => reopened
* resolution: fixed =>
Comment:
This "where 1=1" fix is a bad idea.
1. Its a hack.
2. Its the same thing as saying "where true" which could possibly throw
off the query optimizer.
3. 1=1 and other same int/string comparison expressions, like 'a'='a' etc,
will show up in any decent security scanner that is sniffing for SQL
injection attacks.
It doesn't sit right when I spend a good chunk of my time creating a
solution that works properly, and its replaced with a hack that looks like
SQL injection.
--
Ticket URL: <http://trac.buddypress.org/ticket/1284#comment:14>
BuddyPress <http://buddypress.org/>
BuddyPress
More information about the buddypress-trac
mailing list