vanderaj
commented
4 years ago $list - through validation using the preg_match statement on line 69, the like statement it is used in can only contain a-z letters, no spaces, and no meta characters. This means the like cannot be a SQL injection, as it's not possible for the $list variable to contain injections.
Issue ID: f93f3fd81fac1cb247c3d1f2a403c266 Impact Medium Type SQL injection Path /Users/vander/Documents/GitHub/gaiabb/source/memberlist.php Line 153 Description If the string is a SQL query, a user can change its intent, which may inappropriately disclose or corrupt data within the database. Untrusted user-supplied data is inserted into an apparent SQL statement without adequate validation, escaping, or filtering. First Detected Wed, 29 Jan 2020 15:33:49 GMT Scan Source Single File Scans and Local Full Scan