Add escaping on data inputs, currently only quoting used. -> SQLInjections

[tuxmike]

Example: $sql = "update tt_projects set name = ".$mdb2->quote($name).", description = ".$mdb2->quote($description).", tasks = ".$mdb2->quote($comma_separated).", status = $status where id = $project_id";

Better use defined datatypes or escaping: https://pear.php.net/manual/en/package.database.mdb2.intro-quote.php

Or Best alternative: http://pear.php.net/manual/en/package.database.mdb2.intro-execute.php

[anuko]

Did you find any specific vulnerability that needs addressing now or it is a rather general comment that should be considered in context of "we have a lot of legacy code here", and this is not really important compared with other issues, such as, for example, refactoring, unless something is broken and needs a fix as soon as possible.

[anuko]

Closing for now as no specific vulnerabilities were identified. Not saying that there are none. Just thinking that it is best to have something to address / work with, if this work is to be performed, otherwise spend energy on other issues with clear benefit / outcome.