> On 22 Jun 2021, at 21:38, Craig Francis <cr...@craigfrancis.co.uk> wrote: > > If you can point me to an example where including integers in this has > introduced a security vulnerability then please do, and I mean it, that’s > what this process is for, I genuinely want people to come forward with them > so we can refine this.
It took me about a minute to think of this: "select * from customer_purchases where {$column} = :value”. The developer inadvertently passes the same “trusted value” in as the `$column` substitute and the value parameter. It must be safe because we ran it through `is_trusted`! The query now executes as: "select * from customer_purchases where 12345 = 12345” You cannot magically make all dynamically generated queries safe - they tried that about a quarter of a century ago. Hint: it did not end well - and explicitly allowing some user input is just mind boggling given the stated goals.