[mythtv-commits] Ticket #7809: SQL Escape problem in mythweb

MythTV mythtv at cvs.mythtv.org
Tue Mar 2 01:33:40 UTC 2010

#7809: SQL Escape problem in mythweb
 Reporter:  achew22+mythtv@…          |       Owner:  kormoc    
     Type:  defect                    |      Status:  new       
 Priority:  major                     |   Milestone:  unknown   
Component:  Plugin - MythWeb          |     Version:  0.22-fixes
 Severity:  medium                    |     Mlocked:  0         

Comment(by cadams):

 What you needed to put there was
 title='ABC\'s World News'

 In a power search that field is for handwritten content for a WHERE clause
 off the program and channel tables. This is one case where you WANT to
 pass quotes to the database.

 It has potential for abuse: you (or a black-hat from the tubes) can write
 a lovely rule to match every program in the EPG which would probably bring
 the scheduler to its knees or crash your backend.

 However before running the where clause it removes semicolons and
 secondary queries from the text. It seems pretty toothless to me (IANA SQL
 guru) - it will strip out stuff like this
 ;delete from recorded

 This ticket looks invalid to me.

Ticket URL: <http://svn.mythtv.org/trac/ticket/7809#comment:1>
MythTV <http://www.mythtv.org/>

More information about the mythtv-commits mailing list