[deanclatworthy]

Same. Took hardly any time to see the SQL injection. I wonder how many more of these there are on older installations using modules that are no longer actively maintained (Hint: probably lots. Code quality has come a long way since the early days of Drupal.)

[phil21]

As someone who used to host many Drupal installs - all of them.

The joke around the ops/security team was Drupal is a remote shell with a bonus CMS attached to it.

[ohthehugemanate]

When was it, what versions of Drupal? 8 ended up as a massive rewrite to replace all the key parts with Symfony components.

[kahnpro]

I've always used this joke for Wordpress... a remote shell with a blog attached to it.

[AlbertQQA]

> Took hardly any time to see the SQL injection.

You sure you saw it correctly? Concatenation of hardcoded variants (poor-mans query builder) doesn't make an injection.

[lightlyused]

I saw that one too, I think it is something in the node_references auto_complete menu task. To lazy to test, I've got plumbing work to do.

[AlbertQQA]

All I'm seeing is a missing db_like which means a user can search for "%foo%bar%" instead of just "foo%bar". This is not a SQL-injection, nor a relevant issue.

The problem is in that function though. It is missing a condition for publication status. Titles of unpublished nodes should render for some users, but not all.

[lightlyused]

Winner winner chicken dinner, https://www.reddit.com/r/drupal/comments/66bw8l/references_i...