Opened 18 years ago
Closed 18 years ago
#792 closed task (fixed)
Modify settings code to use the bindValues database stuff.
Reported by: | anonymous | Owned by: | Isaac Richards |
---|---|---|---|
Priority: | minor | Milestone: | 0.20 |
Component: | mythtv | Version: | head |
Severity: | medium | Keywords: | mythtv-setup mysql |
Cc: | Ticket locked: | no |
Description
When configuring user jobs, I was naively shielding my parameters with single quotes, i.e. '%FILE%'.
Using svn 8219.
I did not test other fields in mythtv-setup or mythfrontend. A general filtering/escaping function should be called on anything that would get passed to a SQL query...
Btw the error message from mythtv-setup read:
2005-12-11 22:47:40.327 DB Error (simpledbstorage update): Query was:
No error type from QSqlError? Strange...
Change History (3)
comment:1 Changed 18 years ago by
Resolution: | → invalid |
---|---|
Status: | new → closed |
comment:2 Changed 18 years ago by
Milestone: | → 0.20 |
---|---|
Resolution: | invalid |
Status: | closed → reopened |
Summary: | SQL "injection" in mythtv-setup (User Jobs) → Modify settings code to use the bindValues database stuff. |
Type: | defect → task |
Reopening, marking as task so I don't forget to do this.
Note: See
TracTickets for help on using
tickets.
Feature request without patch.
Escaping these strings would be a nice thing to do, but it is assumed that anyone using mythtv-setup/mythfrontend has rights to do whatever they want with the myth DB so it is not really a security problem. If you see this with mythweb it is a security problem though.