I was examining vm version 2.6.0a codes about how it handles security risks like sql injection as previous version like 2.0.22 was not secured. In administrator side model "orders.php" file this function gets order by id and pass -
public function getOrderIdByOrderPass($orderNumber,$orderPass){
$db = JFactory::getDBO();
$q = 'SELECT `virtuemart_order_id` FROM `#__virtuemart_orders` WHERE `order_pass`="'.$db->getEscaped($orderPass).'" AND `order_number`="'.$db->getEscaped($orderNumber).'"';
.......................
}
Although $db->getEscaped() was used to check variable in url instead $db->quote(), but they did not verify the max length of the variable string like order_pass. Could a hacker still put another sql statement to harm database or do such kinds of attacks?? and does vm latest versions checked all these things about sql injection attacks?
I agree that $db->quote is better than $db->escape ($db->getEscaped() is deprecated) because it calls the escape internally and also quotes the output.
But i don't think that there is any risk.
$db->escape is calling the php's mysql_real_escape_string
http://php.net/mysql_real_escape_string
Which escapes any dangerous character.
Actually $db->escape is doing the dirty job in both cases