419
"Our development team from br.xoops is developing a module to manage memos between users, and to accomplish that is deep using XOOPS classes.
In v. 2.0.3 it used to work, but now it doesn't for .5, and we've found a solution for our problem, but as it messes with XOOPS 'kernel', may affect other functions.
Quote:
file "criteria.php" under /class
Line 342:
if ( is_numeric($this->value) ) { // || strtoupper($this->operator) == 'IN') ???
(used this way the routine inserted the character ' where it mustn't, we've changed to the alternative below and worked)
Quote:
should be that way to work for our module:
if ( is_numeric($this->value) || strtoupper($this->operator) == 'IN') {
we know about the MySQL 'IN' injection flaws, and we'd like to know if this would affect the XOOPS system.
Thanks in advance,
br.xoops devel team"