developer.jelix.org is not used any more and exists only for history. Post new tickets on the Github account.
developer.jelix.org n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 9 years ago

Closed 9 years ago

#888 closed bug (fixed)

jDaoConditions: the operator should be checked

Reported by: laurentj Owned by: laurentj
Priority: highest Milestone: Jelix 1.0.8
Component: jelix:dao Version: 1.1
Severity: critical Keywords: security
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:

Description

The operator given to the addConditions method is not checked. We can give any string and it will be inserted as is in the sql query. So we can insert malicious conditions. If the operator is given by a a form, it should be a hole security.

Change History (1)

comment:1 Changed 9 years ago by laurentj

  • Resolution set to fixed
  • Status changed from new to closed

fixed in trunk, 1.1.x, 1.0.x. r1376

Note: See TracTickets for help on using tickets.