Drupal 6 is NOT safe!

It is less safe than Drupal 7!

You have been warned!

Note: I am risking everything by posting here at all!

Like

Like

Yeah trusting YOU is how we

Yeah trusting YOU is how we got into this mess in the first place! Hechtmail visitors YOU HAVE BEEN WARNED!

If this one change from .31

If this one change from .31 to .32 doesn't install confidence, then what will? It is the only change in the entire release.

diff -r drupal-7.31/modules/simpletest/tests/database_test.test drupal-7.32/modules/simpletest/tests/database_test.test
3386a3387,3414
>
> /**
> * Test SQL injection via database query array arguments.
> */
> public function testArrayArgumentsSQLInjection() {
> // Attempt SQL injection and verify that it does not work.
> $condition = array(
> "1 ;INSERT INTO {test} SET name = 'test12345678'; -- " => '',
> '1' => '',
> );
> try {
> db_query("SELECT * FROM {test} WHERE name = :name", array(':name' => $condition))->fetchObject();
> $this->fail('SQL injection attempt via array arguments should result in a PDOException.');
> }
> catch (PDOException $e) {
> $this->pass('SQL injection attempt via array arguments should result in a PDOException.');
> }
>
> // Test that the insert query that was used in the SQL injection attempt did
> // not result in a row being inserted in the database.
> $result = db_select('test')
> ->condition('name', 'test12345678')
> ->countQuery()
> ->execute()
> ->fetchField();
> $this->assertFalse($result, 'SQL injection attempt did not result in a row being inserted in the database table.');
> }
>

I thought D Rupal was a drag

I thought D Rupal was a drag queen

http://www.bbc.com/news/techn

http://www.bbc.com/news/technology-29846539

Yeah, they may have gotten phecht.com and accessdataonline are probably screwed. Since they are on the same server, we are all screwed.

Happy Halloween indeed!

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.