We use a modified version of the external database plugin for our enrolments. Looking through the code, I found several things that raised concerns for me:
- User-entered fields like $localcoursefield are concatenated into queries with no validation (lib.php, 341, e.g.).
- The db_get_sql function does not validate the $table, $fields, or $sort arguments; the first two of these can contain user input.
- The dbsetupsql config option allows a user to execute any SQL statement against the external database.
Granted, the only users who have access to these input fields are site admins. However, I'm thinking: first, what if someone hacks an admin's password; second, allowing SQL injection is generally a bad thing anyway.
Am I seeing this right? I'd like to get confirmation before starting a Tracker issue.