invalid use of Moodle database apis

Elearning-HWR-Berlin / moodle-block_socialcomments

The social comments block plugin for Moodle increases engagement by fostering peer learning through comment subscription, email digests, comments newsfeed, comment search and pinning of important comments and content to the pin board. This plugin is part of a collection of open source plugins, which all have the goal to improve the overall usability/ user experience of Moodle.

1 stars 1 forks source link

https://github.com/Elearning-HWR-Berlin/moodle-block_social-comments/blob/master/classes/local/basepost.php#L46

when calling db functions, you shouldn't be storing your "tablename" in another variable and passing it through. The Tablename is vulnerable to SQL injection and it should be obvious to a reviewer that there is no sql injection possible when looking at a database function.

Ideally you should rewrite this so that the tablename is hard-coded in the get_record() call instead of in a parameter passed via another script.

Elearning-HWR-Berlin / moodle-block_socialcomments

invalid use of Moodle database apis #4