(03-20-2015, 04:14 AM)KwiceroLTD Wrote: [...]
There are multiple, MULTIPLE issues in this, and I don't even do auditing for a living or as a hobby.
[...]Code:$sql = $zdbh->prepare("INSERT INTO $database.$table_name $insert");
I agree it can better written, but .... the real question is : " are $database, $table and $insert reachable from an user ? "
The response isĀ no : they are even not reachable at all !!!!
This code is extracted from the class db_builder. If you look a bit better with good search tool, you will see that this class is NEVER called !
I do not know from where (or from when) it comes, but it is an outdated class that can be removed. More, from its content, I discovers that it was intended to read and build a database from an XML file.
-> I am pretty sure that it was NEVER callable from the internet side, and I suppose strongly that it was a tool intended to be used from zppy or something like it (module setup ?).
So, please do not worry about this file or any of its (bad) content !
