On Thu, May 19, 2011 at 11:46:37AM +0200, Ionuț Arțăriși wrote: > On 05/18/2011 05:05 PM, Jan Pazdziora wrote: > >On Wed, May 18, 2011 at 02:38:54PM +0200, Ionuț Arțăriși wrote: > >>On 05/18/2011 01:14 PM, Jan Pazdziora wrote: > >> > >>... > >>>Nack. This is SQL-injection-prone. You have to use bind parameters > >>>or sanitize the input properly. > >>Thanks, I have fixed the SQL issue. > >It's still somewhat missing in your patch. > > Ok, I think I now understood what you mean. Here's the re-patched patch :).
Good. Now all that is left is make sure the call cannot be used to access information which should not be accessible to the server. If you check the getErrataInfo and take it as an example, you will see how to authenticate / authorize, and we will need the query extended to join with (probably) rhnServerChannel and rhnChannelErrata. > Those SQL IN operations seem to be quite tedious. Is there anywhere > that we could move this _bind_list function? Perhaps to something > like rhnSQL.bind_list? I haven't found any other helpers like this > already in rhnSQL, but I've seen it used in other places. It is certainly possible. -- Jan Pazdziora Principal Software Engineer, Satellite Engineering, Red Hat _______________________________________________ Spacewalk-devel mailing list Spacewalk-devel@redhat.com https://www.redhat.com/mailman/listinfo/spacewalk-devel
