Issues

ZF-8248: Disturbing lack of validation in Example 38.7. - Database Storage - DbStorage extends Zend_OpenId_Consumer_Storage

Issue Type: Docs: Improvement Created: 2009-11-07T20:01:22.000+0000 Last Updated: 2009-11-19T16:11:04.000+0000 Status: Resolved Fix version(s): - 1.9.6 (24/Nov/09)

Reporter: jw (ronny stalker) Assignee: Dmitry Stogov (dmitry) Tags: - Zend_OpenId

Related issues: Attachments:

Description

I must admit I am not wholly familiar with either Zend_Db or Zend_OpenId, but the code examples in Example 38.7. Database Storage worry me because they just seem to trust the incoming data so much.

e.g

public function delAssociation($url) { $table = $this->_association_table; $this->_db->query("delete from $table where url = '$url'"); return true; }


I think it would be wise to mention somewhere in the docs how we know that $url is not going to carry an SQL injection attack so that paranoid folk like me don't get anxious when reading it.

Comments

Posted by Matthew Weier O'Phinney (matthew) on 2009-11-19T16:11:03.000+0000

All documentation examined for bad security and update; fixes committed to trunk and 1.9 release branch.

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts