-
Bug
-
Resolution: Fixed
-
Minor
-
2.6.6, 2.7.3, 2.8.2, 2.9
-
MOODLE_26_STABLE, MOODLE_27_STABLE, MOODLE_28_STABLE, MOODLE_29_STABLE
-
MOODLE_27_STABLE, MOODLE_28_STABLE
-
MDL-48753_master -
The function badges_get_user_badges in lib/badgeslib.php is using concatenation to form part of an SQL statement.
While all current core uses are safely handing the concatenated param it could potentially be exploited if the calling code was sloppy.
This is a pretty minor issue at this point, however one that really should be addressed.