MyBB Community Forums

Full Version: Require PHP Prepared Statements in MyBB Core and Plugins for 1.10 and up..
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
In the aims of reducing the risk of database breaches caused by plugins and occasionally a bug in MyBB Core. Let's stop these attacks once and for all in MyBB 1.10 by rewriting MyBB Core's database logic using php prepared statements and requiring that all plugins use them to remain in the extend database.

MyBB's database classes would still be on top but something like:
$query = "SELECT forumName, postCount, threadCount, lastPosterName FROM mybb_forums WHERE categoryID = :categoryID";
$statement = $db->prepare($query);
$statement->bindValue('categoryID', $_GET['cat_id']);
$statement->execute();

// use results to show the forums listing for a specific category
...

Thoughts?
Yes, this is planned for 1.10: https://github.com/mybb/mybb/issues/2943