Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Require PHP Prepared Statements in MyBB Core and Plugins for 1.10 and up..
#1
In the aims of reducing the risk of database breaches caused by plugins and occasionally a bug in MyBB Core. Let's stop these attacks once and for all in MyBB 1.10 by rewriting MyBB Core's database logic using php prepared statements and requiring that all plugins use them to remain in the extend database.

MyBB's database classes would still be on top but something like:
$query = "SELECT forumName, postCount, threadCount, lastPosterName FROM mybb_forums WHERE categoryID = :categoryID";
$statement = $db->prepare($query);
$statement->bindValue('categoryID', $_GET['cat_id']);
$statement->execute();

// use results to show the forums listing for a specific category
...

Thoughts?
Software Engineer specializing in C# Program Development
Reply
#2
Yes, this is planned for 1.10: https://github.com/mybb/mybb/issues/2943
devilshakerz.com/pgp (DF3A 34D9 A627 42E5 BC6A 6750 1F2F B8AA 28FF E1BC) ▪ keybase.io/devilshakerz
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)