You are sending via xmlrpc a string and the tring is eval-ed on the
server. A malicious client could send a string like "os.system('rm -f
*')" instead of a database query.Massimo On Aug 18, 1:09 am, rb <[email protected]> wrote: > I don't see why it would be "dangerous." If the rowSelectStr is empty > then all rows are selected. Otherwise, (and it is not shown above) the > string of the list of table fields to compare for row selection is > created programmatically from column definitions. At no time is user > input directly used to generate the rowSelectStr or the colSelectStr > (the keySegValues which come from the record object are first verified > when the values are inserted into the record object - no invalid data > is allowed to be inserted). I just have to remember not to include the > "db." prefix in the rowSelectStr creation and to include the "db." > prefix in the colSelectStr creation. > > At least, that's my (current) understanding. > > -- > Rb > > On Aug 17, 2:30 pm, mdipierro <[email protected]> wrote: > > > It is not a bug. > > > db(query) > > > query can be a DAL query or a SQL query (string). > > > mind that what are you doing is dangerous unless you have a way to > > restrict who can access that xmlrpc function to the administrator. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py-users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---
