I'm not sure what you're getting at. This is not a production app. It doesn't claim to be secure. Even supposing security is a concern, the database is the 3rd tier which can be isolated sufficiently. Random users (even within the application context) only execute the SQL that's part of the application. Can you please clarify what your point is ?
Thanks Shanti On Wed, Sep 1, 2010 at 3:22 PM, John C McCullough (JIRA) <[email protected]>wrote: > The php app is a walking SQL injection > -------------------------------------- > > Key: OLIO-152 > URL: https://issues.apache.org/jira/browse/OLIO-152 > Project: Olio > Issue Type: Bug > Components: php-app > Affects Versions: 0.2 > Reporter: John C McCullough > Assignee: Shanti Subramanyam > > > No sql statement escaping is done and users can walk all over the database. > > Entering user lol'; update PERSON set firstname='sqlparty' > > changes all of the firstnames in the database. > > Entering user '; drop table > > is worse > > I haven't looked at the java or rails versions. > > > -- > This message is automatically generated by JIRA. > - > You can reply to this email to add a comment to the issue online. > >
