ZF-8248: Disturbing lack of validation in Example 38.7. - Database Storage - DbStorage extends Zend_OpenId_Consumer_Storage

Issue Type: Docs: Improvement Created: 2009-11-07T20:01:22.000+0000 Last Updated: 2009-11-19T16:11:04.000+0000 Status: Resolved Fix version(s): - 1.9.6 (24/Nov/09)

Reporter: jw (ronny stalker) Assignee: Dmitry Stogov (dmitry) Tags: - Zend_OpenId

Related issues: Attachments:


I must admit I am not wholly familiar with either Zend_Db or Zend_OpenId, but the code examples in Example 38.7. Database Storage worry me because they just seem to trust the incoming data so much.


public function delAssociation($url) { $table = $this->_association_table; $this->_db->query("delete from $table where url = '$url'"); return true; }

I think it would be wise to mention somewhere in the docs how we know that $url is not going to carry an SQL injection attack so that paranoid folk like me don't get anxious when reading it.


Posted by Matthew Weier O'Phinney (matthew) on 2009-11-19T16:11:03.000+0000

All documentation examined for bad security and update; fixes committed to trunk and 1.9 release branch.

Have you found an issue?

See the Overview section for more details.


© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.