Opened 16 years ago

Closed 15 years ago

#792 closed task (fixed)

Modify settings code to use the bindValues database stuff.

Reported by: anonymous Owned by: Isaac Richards
Priority: minor Milestone: 0.20
Component: mythtv Version: head
Severity: medium Keywords: mythtv-setup mysql
Cc: Ticket locked: no


When configuring user jobs, I was naively shielding my parameters with single quotes, i.e. '%FILE%'.

Using svn 8219.

I did not test other fields in mythtv-setup or mythfrontend. A general filtering/escaping function should be called on anything that would get passed to a SQL query...

Btw the error message from mythtv-setup read:

2005-12-11 22:47:40.327 DB Error (simpledbstorage update): Query was:

No error type from QSqlError? Strange...

Change History (3)

comment:1 Changed 16 years ago by danielk

Resolution: invalid
Status: newclosed

Feature request without patch.

Escaping these strings would be a nice thing to do, but it is assumed that anyone using mythtv-setup/mythfrontend has rights to do whatever they want with the myth DB so it is not really a security problem. If you see this with mythweb it is a security problem though.

comment:2 Changed 16 years ago by Isaac Richards

Milestone: 0.20
Resolution: invalid
Status: closedreopened
Summary: SQL "injection" in mythtv-setup (User Jobs)Modify settings code to use the bindValues database stuff.
Type: defecttask

Reopening, marking as task so I don't forget to do this.

comment:3 Changed 15 years ago by Isaac Richards

Resolution: fixed
Status: reopenedclosed

(In [9613]) Patch from Noah to convert all of the settings code to use the prepare/bindValues SQL interface - proper escaping, etc. Not tested heavily, but seems to work here.

Note: See TracTickets for help on using tickets.