Zend Framework

Disturbing lack of validation in Example 38.7. - Database Storage - DbStorage extends Zend_OpenId_Consumer_Storage

Details

  • Type: Docs: Improvement Docs: Improvement
  • Status: Resolved Resolved
  • Priority: Minor Minor
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 1.9.6
  • Component/s: Zend_OpenId
  • Labels:
    None
  • Language:
    English

Description

I must admit I am not wholly familiar with either Zend_Db or Zend_OpenId, but the code examples in Example 38.7. Database Storage
worry me because they just seem to trust the incoming data so much.

e.g

public function delAssociation($url)

{ $table = $this->_association_table; $this->_db->query("delete from $table where url = '$url'"); return true; }

------

I think it would be wise to mention somewhere in the docs how we know that $url is not going to carry an SQL injection attack so that paranoid folk like me don't get anxious when reading it.

Activity

Hide
Permalink
Matthew Weier O'Phinney added a comment -

All documentation examined for bad security and update; fixes committed to trunk and 1.9 release branch.

Show
Matthew Weier O'Phinney added a comment - All documentation examined for bad security and update; fixes committed to trunk and 1.9 release branch.

People

Vote (0)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Zend Framework. Try JIRA - bug tracking software for your team.