[mythtv] Patch for generic SQL query
Torbjörn Jansson
torbjorn.jansson at mbox200.swipnet.se
Wed Apr 27 17:27:59 UTC 2005
> I must be thick, because I just don't see this as a big hole. The
> limits of what this command could do are limited by whatever the
> mythtv
> sql user can
> do. While that could be damaging, I don't really see it as any more
> damaging than what you could do with the protocol today if
> you had malicious
> intent -- for example deleting every single recording,
> stopping recordings,
> shutting down mythbackend. I'm not sure that I could care about the
> database damage if all of my recordings were deleted...
>
I agree with you on the security stuff, this extra command won't make it any
more or less secure than before.
If you want to make the protocol secure, you probably have to go thru the
whole protocol and posibly add authentication or something like that.
But isn't allowing for directly executing sql queries defeating the whole
idea behind protocol versioning?
I mean, what if there is an incompatible change in the db structure? How are
the app that sends sql queries going to know that?
Remeber that db structure changes isn't the same thing as protocol version.
So that's why i think it's better to add the missing functionality to the
protocol than allowing direct sql queries to be executed.
More information about the mythtv-dev
mailing list