I am not really a security or NN expert, but noticed the following in plugins/system/nnframework/helpers/assignments.php

The variables name and table are not "quoted". This could be potentially a security issue, right?

PS I had to insert XXXX, because this site apparently uses a very simple method to detect SQL injections (and wouldn't allow to post the code).

Hello universe

Did you mean this security problem? www.nonumber.nl/news/releases/285-securi...-nonumber-extensions It's already fixed in the new NN framework v12.4.5 Peter released two weeks ago. If you use an older version of the NoNumber extensions you have to install the patch manually (download above). If you have installed one of our "Classic Versions", the patch is already included.

Greetings Jan

I installed Peter's security update, so this is a new issue.

That basically means that your classic versions have the same issue.

That's not a security threat. Only the variable $id in the WHERE statement could be exploited (and you have to check all calls of this function in other files).

The $id is typecasted to an integer (int() - php.net/manual/en/language.types.integer...ypes.integer.casting), so you can not inject any code.

Not every statement has to be quoted...

Regards

As said already I am not a security expert, but rather asked a question. If there is no issue, then fine. But quoting would be probably still appropiate and doesn't have any disadvantages (just in case you are wrong )


PS

Since I am not a security expert, I can not argue here. Maybe only ask Kubik whether "something" in variable name could inject code that would create a new SQL statement and "comment out" the "where safe part" you mentioned.

universe schrieb:
Just try it!
(Hint: The statement must be valid to be executed.)

But I have to agree with you: Personally, I would also quote every variable in a SQL statement.

PS: Write NoNumber if you still don't believe me.

Regards