[mythtv-commits] Ticket #7809: SQL Escape problem in mythweb
MythTV
mythtv at cvs.mythtv.org
Tue Mar 2 01:33:40 UTC 2010
#7809: SQL Escape problem in mythweb
--------------------------------------+-------------------------------------
Reporter: achew22+mythtv@… | Owner: kormoc
Type: defect | Status: new
Priority: major | Milestone: unknown
Component: Plugin - MythWeb | Version: 0.22-fixes
Severity: medium | Mlocked: 0
--------------------------------------+-------------------------------------
Comment(by cadams):
What you needed to put there was
{{{
title='ABC\'s World News'
}}}
In a power search that field is for handwritten content for a WHERE clause
off the program and channel tables. This is one case where you WANT to
pass quotes to the database.
It has potential for abuse: you (or a black-hat from the tubes) can write
a lovely rule to match every program in the EPG which would probably bring
the scheduler to its knees or crash your backend.
However before running the where clause it removes semicolons and
secondary queries from the text. It seems pretty toothless to me (IANA SQL
guru) - it will strip out stuff like this
{{{
;delete from recorded
}}}
This ticket looks invalid to me.
--
Ticket URL: <http://svn.mythtv.org/trac/ticket/7809#comment:1>
MythTV <http://www.mythtv.org/>
MythTV
More information about the mythtv-commits
mailing list