- Member | 4
I discovered the possibility of SQL-injection in
Database/Table/SqlBuilder.php. This is possible through using ‘ORDER BY’,
because insufficient filtration in it for parameters.
I understand, developers always must check and escape all parameters, but it will be cool to have auto-escaping, for example:
preg_replace('/[^a-zA-Z0-9\._\- ]/i', '', $order)
Thanks for attention.