The code you posted, axml_release_0.1.3, does not use DBI quote or quote_identifier or placeholders anywhere in the code
./main/aXML.pm: my $query = qq{ SELECT * FROM users WHERE use
+rname="$username" };
./main/plugins/batchvalidate.aXMLpi: my $query = qq{ SELECT *
+FROM $in WHERE $name=\"$value\" };
./main/plugins/batchvalidate.aXMLpi: my $query = qq{ SELECT *
+FROM $in WHERE $name=\"$value\" };
./main/plugins/math.aXMLpi:$result = "<SQL mode=\"read\">SELECT $data;
+</SQL>";
./main/plugins/runaction.aXMLpi: my $query = qq{ SELECT * FRO
+M users WHERE username="$session->{username}" };
./main/plugins/session.aXMLpi: my $query = qq{ SELECT * FROM
+sessions WHERE sessionID="$qd->{sessionID}"; };
./main/plugins/SQL.aXMLpi: my $query = qq[ SELECT count(1)
+FROM $table WHERE ];
./main/plugins/SQL.aXMLpi: my $query = "SELECT * FROM $command_ar
+gs->{db} WHERE 1=0";
./main/plugins/SQL.aXMLpi: $query = qq{ SELECT * FROM $command
+_args->{db} WHERE $command_args->{key}="$command_args->{value}"
./main/plugins/SQL.aXMLpi: $query = qq{ SELECT * FROM $command
+_args->{db} WHERE $command_args->{key}="$command_args->{value}" };
./main/plugins/SQL.aXMLpi: my $sth = $dbh->prepare("SELECT *
+FROM $command_args->{table} WHERE 1=0");
./main/system/sessions.pm: my $query = " SELECT * FROM sessions WHE
+RE sessionID=\"$_[1]\"";
./main/system/SQL.pm: my $query = qq { SELECT $col FROM $db WHERE
+$key };
./main/system/SQL.pm: my $sth = $dbh->prepare( qq { SELECT COU
+NT(1) as "NUM" FROM $from $where; } );
./site/common/showfeedback.aXML: SELECT * FROM feedback;
|