|
|
|
|
|
|
by pestaa
4263 days ago
|
|
|
Please note that in this case the prepared statement gave the false sense of security, but is not actually responsible for the vulnerability. Due to the statement being prepared, all bound parameters are correctly encoded -- not the parameter names themselves though, which Drupal should have sanitized first. Letting $data through the array_values() call will give you a zero-indexed array, which gives you predictable and safe parameter names. |
|
|