purpose of this API

prevent SQL Injection

API itself introduced

SQL Injection

Security researchers from SektionEins have discovered a critical SQL Injection vulnerability in Drupal CMS that leaves a large number of websites that uses Drupal at risk.Drupal introduced a database abstraction API in version 7. Theis toattacks by sanitizing SQL Queries.But, thisa new and criticalvulnerability. The vulnerability enables attackers to run malicious SQL queries, PHP code on vulnerable websites. A successful exploitation allows hackers to take complete control of the site.This vulnerability can be exploited by a non-authenticated user and has been classified as "Highly Critical" one.SektionEins didn't release the POC but released an advisory with technical details.The vulnerability exists in the expandArguments function which is used for expanding arrays to handle SQL queries with "IN" Operator.The vulnerability affects Drupal core 7.x versions prior. Users of 7.x versions are advised to update their CMS immediately.You can also directly modify the "includes/database.inc" file to patch this vulnerability; Change the "" with "" in 739 line.A proof of Concept has been released online that allows anyone to change the password of admin account. So, better Hurry UP! Update your Drupal CMS.One of the reddit user " fyukyuk " posted a HTTP post request that exploits this vulnerability.The following python Code changes the admin password of vulnerable Drupal to '' (Tested with Drupal versions 7.21,7.31).