Uploaded image for project: 'Planet4'
  1. Planet4
  2. PLANET-3518

Code cleanup: Dynamic SQL Query


    • Icon: Task Task
    • Resolution: Done
    • Icon: Should have Should have
    • 1.53
    • 2
    • Code Refactoring
    • Sprint #87

      Path: exporter.php Line: 224
      Sink: get_results Source:
      Taint: HTTP Code Summary
      A code quality issue was detected in line 224 of the file exporter.php in the function p4_px_single_post_authors_list().

      $wpdb->get_results(sprintf("SELECT DISTINCT post_author FROM {$wpdb->posts} WHERE ID IN( %s ) AND post_status != 'auto- draft'", $post_ids));

      A SQL query is constructed dynamically by concatenation. This can lead to SQL injection attacks. It is recommended to use prepared statements for all SQL queries. The prepared statement itself should only use placeholders for data and never concatenate data directly into the query.

            dpivo Dylan Pivo (Inactive)
            kkokkoro Konstantinos Kokkorogiannis (Inactive)
            0 Vote for this issue
            0 Start watching this issue