SA-CORE-2014-005 - Drupal core - SQL injection
Yet another exploit for one of the "everything and the kitchen sink" CMS. It really goes to show how wonderful dynamically typed languages are for security, especially PHP which is basically stochastically typed.
Another thing which has no effect on me, since I wrote this from scratch and I'm not stupid enough to construct objects directly from user input and pass them into an SQL generation function that sets the column names.
The best part is the description of what the exploit targets from Drupal's official site:
"Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks."
How's that working out for you? Prepared queries, careful programming and flattening objects before passing them directly into the field list would have prevented all of this.
Details of the issue here: https://www.drupal.org/SA-CORE-2014-005