Ticket #515 (fixed bug)
DB Layer: Escape table names etc.
- Created: 2011-10-19 23:13:03
- Reported by: Franz
- Assigned to: Franz
- Milestone: 2.0-alpha1
- Component: database
- Priority: normal
Technically, these values should not come from user input etc.
Since we don't know for sure, though; since this is meant to be used by other projects, too; to be on the safe side; and because I will probably be shot if I don't... we should do it.
Franz 2011-11-03 10:03:33
- Status changed from open to fixed.
Well, ok, I quoted stuff where possible.
Unfortunately, properly quoting table and field names is not worth the overhead.
This does not mean that things are not safe (especially not in the core), but now (extension) developers are responsible themselves for making sure that there are no unsanitized table or column names in query objects.