I am looking at the source of YAF v1.9.3. Almost all of the code now uses stored procedures, however there is one function that does look to be and still uses dynamically created sql from user input: the search function. I have copied the relevant code below. Is this a security risk??

YAF.Classes.Data\DB.cs method GetSearchResult

You can see in the code:

string searchSql = (maxResults == 0) ? "SELECT" : ("SELECT TOP " + maxResults.ToString());

[a bunch of dynamically created sql]

// make the inner FULLTEXT search

foreach ( string word in words )

{

if ( !bFirst ) ftInner += " OR "; else bFirst = false;

ftInner += String.Format( @"""{0}""", word );

}

// make final string...

searchSql += string.Format( "( CONTAINS (c.Message, N' {0} ') OR CONTAINS (a.Topic, N' {0} ') )", ftInner );

[and finally...]

searchSql += " ORDER BY c.Posted DESC";

using ( SqlCommand cmd = DBAccess.GetCommand( searchSql, true ) )

{

return DBAccess.GetData( cmd );

}

Jaben completely wiped them out somewhere in early 1.9.4 releases.

All the db queries variables should be parameters now.

1.9.3 is no more developed. Nowdays, everyone upgrades to 1.9.4 which is much more advanced. :-d.