Issues

ZF-8248: Disturbing lack of validation in Example 38.7. - Database Storage - DbStorage extends Zend_OpenId_Consumer_Storage

Description

I must admit I am not wholly familiar with either Zend_Db or Zend_OpenId, but the code examples in Example 38.7. Database Storage worry me because they just seem to trust the incoming data so much.

e.g

public function delAssociation($url) { $table = $this->_association_table; $this->_db->query("delete from $table where url = '$url'"); return true; }


I think it would be wise to mention somewhere in the docs how we know that $url is not going to carry an SQL injection attack so that paranoid folk like me don't get anxious when reading it.

Comments

All documentation examined for bad security and update; fixes committed to trunk and 1.9 release branch.