is not used any more and exists only for history. Post new tickets on the Github account. n'est plus utilisée, et existe uniquement pour son historique. Postez les nouveaux tickets sur le compte github.

Opened 13 years ago

Closed 13 years ago

#888 closed bug (fixed)

jDaoConditions: the operator should be checked

Reported by: laurentj Owned by: laurentj
Priority: highest Milestone: Jelix 1.0.8
Component: jelix:dao Version: 1.1
Severity: critical Keywords: security
Cc: Blocked By:
Blocking: Documentation needed: no
Hosting Provider: Php version:


The operator given to the addConditions method is not checked. We can give any string and it will be inserted as is in the sql query. So we can insert malicious conditions. If the operator is given by a a form, it should be a hole security.

Change History (1)

comment:1 Changed 13 years ago by laurentj

  • Resolution set to fixed
  • Status changed from new to closed

fixed in trunk, 1.1.x, 1.0.x. r1376

Note: See TracTickets for help on using tickets.