Skip to content

Draft: Escape all values interpolated in SQL queries in the Perso controller

nono requested to merge (removed):119-fix-various-vulnerabilities into preprod

One of the parameters was correctly escaped with \Utils::asl() (a wrapper around addslashes()), but not in the right context: it is only effective when the value is interpolated in a SQL string.

Closes #119

Merge request reports