XMLWordPrintable

    Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Wiki (2.x)
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      the wiki code is not using sql query bound parameters properly, example:
      return $DB->get_records_select('wiki_pages', "subwikiid=$swid AND (cachedcontent LIKE '%$search%' OR title LIKE '%$search%')");

      We must use ? or :named parameters for all variables, you must not embed variables directly into SQL because there are no magic quotes any more, there is no way to add quotes even if you wanted to.

      Please go through all SQL code in wiki and fix all similar problems there. Please note the official recommended coding style is to type SQL as one "long string in double quotes", not multiple concatenated single quote strings

        Attachments

          Activity

            People

            • Assignee:
              pigui Jordi Piguillem Poch
              Reporter:
              skodak Petr Skoda
              Tester:
              Nobody
              Participants:
              Component watchers:
              Amaia Anabitarte, David Mudrák (@mudrd8mz), Sara Arjona (@sarjona)
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                24/Nov/10