[wp-trac] [WordPress Trac] #27105: Input validation on wp-includes/SimplePie/Cache/MySQL.php in line 344
WordPress Trac
noreply at wordpress.org
Tue Feb 11 21:46:26 UTC 2014
#27105: Input validation on wp-includes/SimplePie/Cache/MySQL.php in line 344
--------------------------+-----------------------------
Reporter: OswaldoMG | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 3.5.2
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
SQL Injection
This database query contains a SQL injection flaw. The function call
constructs a dynamic SQL query using a variable derived from user-supplied
input. An attacker could exploit this flaw to execute arbitrary SQL
queries against the database.
Found by static analysis application.
{{{
344 $query = $this->mysql->prepare($sql);
}}}
Recommendations: Avoid dynamically constructing SQL queries. Instead, use
parameterized prepared statements to prevent the database from
interpreting the contents of bind variables as part of the query. Always
validate user-supplied input to ensure that it conforms to the expected
format, using centralized data validation routines when possible.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/27105>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list