Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Wiki (2.x)
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      the wiki code is not using sql query bound parameters properly, example:
      return $DB->get_records_select('wiki_pages', "subwikiid=$swid AND (cachedcontent LIKE '%$search%' OR title LIKE '%$search%')");

      We must use ? or :named parameters for all variables, you must not embed variables directly into SQL because there are no magic quotes any more, there is no way to add quotes even if you wanted to.

      Please go through all SQL code in wiki and fix all similar problems there. Please note the official recommended coding style is to type SQL as one "long string in double quotes", not multiple concatenated single quote strings

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Fix Release Date:
                  24/Nov/10