[buddypress-trac] [BuddyPress] #1284: BP_Groups_Group::get_all method generates bad mysql request

buddypress-trac at lists.automattic.com buddypress-trac at lists.automattic.com
Wed Nov 25 00:58:36 UTC 2009

#1284: BP_Groups_Group::get_all method generates bad mysql request
  Reporter:  Fairweb  |       Owner:  MrMaz                                      
      Type:  defect   |      Status:  reopened                                   
  Priority:  major    |   Milestone:  1.1.3                                      
Resolution:           |    Keywords:  has-patch group mysql status public request
Changes (by MrMaz):

  * status:  closed => reopened
  * resolution:  fixed =>


 This "where 1=1" fix is a bad idea.

 1. Its a hack.
 2. Its the same thing as saying "where true" which could possibly throw
 off the query optimizer.
 3. 1=1 and other same int/string comparison expressions, like 'a'='a' etc,
 will show up in any decent security scanner that is sniffing for SQL
 injection attacks.

 It doesn't sit right when I spend a good chunk of my time creating a
 solution that works properly, and its replaced with a hack that looks like
 SQL injection.

Ticket URL: <http://trac.buddypress.org/ticket/1284#comment:14>
BuddyPress <http://buddypress.org/>

More information about the buddypress-trac mailing list