Extension talk:NiceCategoryList2/3.0

About this board

141.70.81.139 (talkcontribs)

Use hardcoded sql command... Over $title there is a possibility for SQL injection

<code>

$sql = "SELECT p.page_id AS pid, p.page_title AS title, t.old_text as text FROM page p

INNER JOIN revision r ON p.page_latest = r.rev_id

INNER JOIN text t ON r.rev_text_id = t.old_id

INNER JOIN categorylinks c ON c.cl_from = p.page_id

INNER JOIN searchindex s ON s.si_page = p.page_id

WHERE c.cl_to='".$title."' ORDER BY p.page_title ASC";

</code>

Reply to "SQL injection"
There are no older topics