Description
_db_replace() in lib/database.php interpolates array keys directly
into backtick-quoted SQL column identifiers. If a caller ever passes
user-derived array keys, a backtick in the key name could break out
of the identifier context.
This is a hardening measure. All current sql_save() callers use
hardcoded string keys in PHP source. No user input reaches array
keys under normal operation.
Remediation
Strip non-alphanumeric/underscore characters from column name keys
before SQL construction via preg_replace('/[^a-zA-Z0-9_]/', '', $k).
Description
_db_replace() in lib/database.php interpolates array keys directly
into backtick-quoted SQL column identifiers. If a caller ever passes
user-derived array keys, a backtick in the key name could break out
of the identifier context.
This is a hardening measure. All current sql_save() callers use
hardcoded string keys in PHP source. No user input reaches array
keys under normal operation.
Remediation
Strip non-alphanumeric/underscore characters from column name keys
before SQL construction via preg_replace('/[^a-zA-Z0-9_]/', '', $k).