|
|
|
|
|
|
by Shanea93
3537 days ago
|
|
|
To be honest, that code is pretty bad anyway. "If an arbitrary attribute table doesn't exist, ignore this row and process the next one", no exceptions thrown, no attempt to rectify the situation, no logging, no state change, just ignore it. I can't really think of a situation where you both don't care and don't want to know if your transaction completes. That aside, this actually looks like it might even contain a SQL injection vulnerability. I'm no Drupal 7 expert (which this code seems to be) but having looked in to the code being ran here, db_table_exists seems to call down to `$this->connection->queryRange("SELECT 1 FROM {" . $table . "}", 0, 1);` in `DatabaseSchema_mysql::tableExists`, which contains an unescaped PDO query. I feel like anyone running this code is going to have a very bad day and it makes me untrusting of the rest of the work they're putting out. |
|
|