[Insight] Database queries should use parameter binding - in httpdocs/Classes/…/Steam/SteamUser.php, line 443

[SpoonOfDoom]

in httpdocs/Classes/SteamCompletionist/Steam/SteamUser.php, line 443

If provided by the user, the value of $query may allow an SQL injection attack. Avoid concatenating parameters to SQL query strings, and use parameter binding instead.

            $query = $queryNewStatus . ', ' . $queryOldStatus;
        } else {
            $query = $queryNewStatus . $queryOldStatus;
        }

        $this->db->prepare('UPDATE `steamGameDB` SET ' . $query . ' WHERE `appid` = ?');
        $this->db->execute(array($game->appId), 'i');

        $game->gameStatus = $status;

    }

---

Posted from SensioLabsInsight