mudrd8mz
commented
2 weeks ago Thank you Vlad for spotting these. And thanks Flotter for the fixes. Good to see injected values replaced by placeholders. This should really be seen as a serious (and security related) bug, not an enhancement.
Flottertotte
Hello,
A lot of requests to DB use plane SQL operators like IN or LIKE. Please replace them with Moodle DML functions: https://moodledev.io/docs/4.5/apis/core/dml#get_in_or_equal https://moodledev.io/docs/4.5/apis/core/dml#sql_like
All parameters should be replaced with placeholders: https://moodledev.io/general/development/policies/codingstyle/sql#parameter-placeholders
In addition, please review Moodle SQL coding styles standards: https://moodledev.io/general/development/policies/codingstyle/sql