GSoC/GCI Archive
Google Code-in 2011 LimeSurvey

Find and fix SQL injection points in the Yii version Part 2

completed by: Daniel Klischies

mentors: Carsten Schmitz (c_schmitz)

Walk the complete application sources (models, controllers, helpers etc. except for external libraries) and look out for old style queries which have their parameters added by string concatenation or other unsafe ways.

Change these to use the Yii bindParams feature and if possible move the query to the query to the model and use active record to proof it against SQL injection.