ZF-8248: Disturbing lack of validation in Example 38.7. - Database Storage - DbStorage extends Zend_OpenId_Consumer_Storage
Description
I must admit I am not wholly familiar with either Zend_Db or Zend_OpenId, but the code examples in Example 38.7. Database Storage worry me because they just seem to trust the incoming data so much.
e.g
public function delAssociation($url) { $table = $this->_association_table; $this->_db->query("delete from $table where url = '$url'"); return true; }
I think it would be wise to mention somewhere in the docs how we know that $url is not going to carry an SQL injection attack so that paranoid folk like me don't get anxious when reading it.
Comments
Posted by Matthew Weier O'Phinney (matthew) on 2009-11-19T16:11:03.000+0000
All documentation examined for bad security and update; fixes committed to trunk and 1.9 release branch.