[development] Bug#336719: Can you reproduce this on 4.5.3-4?

Hilko Bengen bengen at debian.org
Fri Nov 11 13:57:40 UTC 2005

Florian Weimer <fw at deneb.enyo.de> writes:

>> db_query uses sprintf to replace placeholder expressions if passed
>> more than one argument and it seems to me that using %s does the
>> same thing as PHP's string expansion as in 4.5.3.
> What about SQL injection? Doesn't db_query protect against it, while
> PHP's string expansion doesn't?

At second glance, it does seem like it: db_query performs quoting on
those arguments which are then added via snprintf().

Do you have any idea how the $key parameter to sess_destroy
(includes/session.inc) is generated?

-Hilko who is once again shocked how little he knows about PHP's
       internal magic

More information about the development mailing list