Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
This issue is present in Nette 2.3.11.
How to reproduce the issue:
Use the following syntax:
The query gets executed without escaping the value in $value e.g. as:
SELECT ... FROM table WHERE (
Problem obviously being the first parantheses.
Although such usage is not correct (you should not use the whole result, but its field instead), this is pretty hard to debug and has potentially fatal consequences (SQL injection).