#5153 - database_search dynamic SQL not escaped properly
-
By PDStig
- Added
- 0 views
| Identifier | #5153 |
|---|---|
| Issue type | Minor issue (breaks specific functionality) |
| Title | database_search dynamic SQL not escaped properly |
| Status | Completed |
| Handling member | Chris Graham |
| Addon | General / Uncategorised |
| Description | It is possible for the content URL parameter in a search to contain an unsafe value. This unsafe value is not being properly escaped when the search query is built. |
| Steps to reproduce | |
| Additional information | http://localhost/composr/index.php?all_defaults=1&cache_blocks=0&cache_comcode_pages=0&content=+UNION+ALL+select+NULL+--+&keep_devtest=1&keep_minify=0&page=search&special_page_type=view&type=results |
| Funded? | No |
The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".
Comments
There have been no comments yet