> On 22 Jun 2021, at 21:38, Craig Francis <cr...@craigfrancis.co.uk> wrote:
>
> If you can point me to an example where including integers in this has
> introduced a security vulnerability then please do, and I mean it, that’s
> what this process is for, I genuinely want people to come forward with them
> so we can refine this.
It took me about a minute to think of this:
"select * from customer_purchases where {$column} = :value”.
The developer inadvertently passes the same “trusted value” in as the `$column`
substitute and the value parameter. It must be safe because we ran it through
`is_trusted`!
The query now executes as:
"select * from customer_purchases where 12345 = 12345”
You cannot magically make all dynamically generated queries safe - they tried
that about a quarter of a century ago. Hint: it did not end well - and
explicitly allowing some user input is just mind boggling given the stated
goals.
