[dmilicevic]

The good thing is that Sugar is slowly but steadily replacing the old codebase but they should be more transparent on addressing these serious issues.

[mgmarum]

Yes. For example, SugarCRM is adding prepared statement support which mitigates any potential SQL injection problems. I mention this since it was posted just this last week. These changes are very large and far reaching so it does take time.

https://developer.sugarcrm.com/2017/04/17/use-of-prepared-st...

[tedivm]

Prepared statements were considered the best practice for over a decade now. I know these things take time but the fact that this is just happening now is actually more cause for alarm, not less.

[dmilicevic]

Great stuff again Matthew :), your blogs are always easy to read and helpful! Personally I think that string concatenation in query building throughout the Sugar code base (campaigns, workflows) is very problematic and could also be exposed in a couple of scenarios. But like I said, this seems to be the work in progress currently at Sugar.

Hopefully Sugar will come forward with a response to these allegations because these are serious security risks.

[mgmarum]

Thanks. Yes, I am hopeful that a response will be forthcoming.

[bpicolo]

> mitigates any potential SQL injection problems

Not quite, string concat for defining queries is still plenty vulnerable regardless of PDO.

[dmilicevic]

it mitigates quite some SQL injection possibilities, but yes, string concat while building queries still remains an issue.