On Sun, Feb 27, 2005 at 03:17:46PM -0800, Chris Petersen wrote: > >a) One can preface "hd:" to a search and find only programs broadcast in > >HDTV. > > Good enough, but I think I'm going to make this a checkbox option like > "exact match" -- you'll see the commit go in soon.
Yeah, I put that in before I decided I wanted canned queries more. > > >b) One can provide a parameter "sql" which is a generalized SQL query for > >the "program" table to search.php. This is mostly used below, but > >allows users to build complex queries, if they know their SQL, and bookmark > >them for future searching. > > I can't allow this -- it's too blatant of a security risk. I was thinking about this, and in fact in the update of the patch I sent you this morning I had put in some basics like refusing any query with a semicolon in it. I was looking around for analysis of what security risks there were in an open SQL query (aside from semicolon) and I didn't see as many as I thought. I mean anybody with mythweb access can already pretty much muck up your system, deleting all shows, schedules, scheduling new shows etc. Most people, as you know, keep their mythtv database with the default password, ie. no security from people on the local net who also have mythweb access. Or, since I'm not a PHP programmer, is there a risk of breaking out into PHP code itself with such an arbitrary string I'm not aware of? But I agree you don't want to take risks you don't need to. One thing I like a lot about the generalized SQL query is that users can use them and bookmark them for all their favourite searches. Or people on the myth-users list could easily help newbies by giving them query links the users can bookmark to solve their problems. Canned hash links can solve the security question of course but less so the bookmark one. Patch in this style coming shortly.
_______________________________________________ mythtv-dev mailing list [email protected] http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-dev
