search

mantisbt-plugins / GanttChart

Gantt Chart Plugin for Mantis
GNU General Public License v2.0
16 stars 11 forks source link

Replace occurences of deprecated `db_query` API #1

Closed dregad closed 10 years ago

dregad commented 10 years ago

In MantisBT 1.3, the db_query() function will be removed from the API (see mantisbt/mantisbt#128). The following occurences have been found in this plugin; they should be replaced by db_query_bound() calls

core/gantt_api.php:914:    $result = db_query( $query );
dregad commented 10 years ago

It's worth mentioning that simply replacing the function call is not sufficient; to avoid risk of sql injection attacks, any inline query parameters should be replaced by calls to db_param(). For example:

$t_query = "SELECT * FROM $table WHERE id = '$p_id'";
db_query($t_query);

Would become

$t_query = "SELECT * FROM $table WHERE id = '" . db_param() . "'";
db_query_bound($t_query, array( $p_id ) );
alaindeurveilher commented 10 years ago

I just fixed it in the plugin.

Regards.

On Wed, Jan 29, 2014 at 12:55 PM, Damien Regad notifications@github.comwrote:

It's worth mentioning that simply replacing the function call is not sufficient; to avoid risk of sql injection attacks, any inline query parameters should be replaced by calls to db_param(). For example:

$t_query = "SELECT * FROM $table WHERE id = '$p_id'";db_query($t_query);

Would become

$t_query = "SELECT * FROM $table WHERE id = '" . db_param() . "'";db_query_bound($t_query, array( $p_id ) );

Reply to this email directly or view it on GitHubhttps://github.com/mantisbt-plugins/GanttChart/issues/1#issuecomment-33578242 .

AlainD.

dregad commented 10 years ago

5cf35542d3deb9b8710419abe84636220904fee3 Thanks Alain