[anonfunction]

The patch is only one line[1], so if you're scared to update Drupal for fear of breaking things you can just patch the vulnerable part.

In this file:

    includes/database/database.inc

Replace line 739:

    foreach ($data as $i => $value) {

With the patched code:

    foreach (array_values($data) as $i => $value) {

[1] https://www.drupal.org/files/issues/SA-CORE-2014-005-D7.patc...

[kbenson]

When I wrote PHP, I never felt comfortable with associative arrays and sequential arrays being almost indistinguishable. Part of that is my Perl heritage, I'm sure, but the slight cognitive load it reduced in choosing your data structure always seemed vastly dwarfed by the extra complexity of umpteen different functions that work on arrays in different ways and the confusion it can cause when you didn't receive exactly what you were expecting and ended up with non-numerical keys when you expected numerical ones or vice-versa (as in this case).

I guess it's just another example of the Waterbed Theory[1].

1: http://en.wikipedia.org/wiki/Waterbed_theory

[jwineinger]

So is that the full patch or is there a validation test included somewhere else?

[ge0]

There is also a test http://cgit.drupalcode.org/drupal/commit/?h=7.x&id=449c70287...