Placeholders using in SQL queries.
otatarintseva opened this issue · 4 comments
Hello,
First of all I want say thank you for your work with the plugin.
We found some code fragments which should be changed to comply Moodle code requirements: https://docs.moodle.org/dev/Security#Don.27t_trust_any_input_from_users
- directly used $_GET['q'] and $_GET['round'] in mod/hotquestion/locallib.php instead of using optional_param() or required_param()
Also placeholders should be used in SQL queries to comply Moodle code requirements: https://docs.moodle.org/dev/Data_manipulation_API#Placeholders
- in mod/hotquestion/locallib.php in download_questions() method the variable $this->instance->id is concatenated directly to SQL query. It should be passed as one of the parameters to $DB->get_records_sql() instead.
- in mod/hotquestion/locallib.php in hotquestion_count_entries() method the variables $hotquestion->id, $gid->id and $USER->id are concatenated directly to SQL query. It should be passed as one of the parameters to $DB->get_records_sql() instead.
- in mod/hotquestion/locallib.php in hotquestion_get_coursemodule() method the variable $hotquestionid is concatenated directly to SQL query. It should be passed as one of the parameters to $DB->get_records_sql() instead.
Best regards,
Olena Tatarintseva
Hate to say it, but I was in the middle of making other changes of those types in 2018 when we discovered my wife had pancreatic cancer. Recently, when I finally had free time to go back to working on plugins, I forgot to finish these, and went to work on other stuff in MooTyper. I will see what I can do over the next day or two, as right now I am able to work only in the mornings for about 3 hours each day, due to other commitments.
Fixed the ones listed above, but found some more in .../classes/privacy/provider.php. Will work on them next.
Changes included in v3.8.1.
I am very sorry about your wife illness. I hope your family is well now.
Thank you for code changes you implemented and delivered in this ticket. You do a good job.