georgmaisser
commented
9 months ago Hi @danmarsden, thank you so much for your very helpful comments. We'll fix all of the issues right away, starting with this one: 1271ba5
We had used parameterization in almost all cases, but you put the finger to those which we missed.
https://github.com/Wunderbyte-GmbH/moodle-local_wunderbyte_table/blob/main/classes/wunderbyte_table.php#L1651C35-L1652
I didn't take a really good look through your db_query functions but it does make me nervous to see code like the one linked above where parameterisation is not used when it could be quite easily adapted.
I think it would be good for someone to have a really close look at your usage of SQL and inline params in the other functions in this file too - I suspect a large amount is copied from tablelib db_query, but you've added quite a few places where it's possible that SQL injection issues might occur.