Modify

#11048 closed defect (fixed)

String formatting is used to prepare SQL statements

Reported by: rjollos Owned by: rjollos
Priority: normal Component: PrivateReportsPlugin
Severity: normal Keywords: sql string formatting
Cc: Trac Release:

Description

String formatting is used to prepare SQL statement, which opens up the possibility of SQL injection and cross-DB compatibility problems. Proper use of the Trac database API is described in t:TracDev/DatabaseApi#RulesforDBAPIUsage.

Is the plugin still being maintained? I'd be happy to fix these issues if the plugin author approves. I'll proceed if there is no response in two weeks, per the AdoptingHacks policy.

Attachments (0)

Change History (3)

comment:1 Changed 15 months ago by rjollos

  • Keywords sql string formatting added

comment:2 Changed 15 months ago by rjollos

  • Owner changed from mhenke to rjollos
  • Status changed from new to assigned

comment:3 Changed 15 months ago by rjollos

  • Resolution set to fixed
  • Status changed from assigned to closed

(In [13047]) Fixes #11048: Removed string formatting for preparing SQL and replaced with proper use of the Trac database API. These changes should prevent the possibility of SQL injection and improve cross-DB compatibility.

Add Comment

Modify Ticket

Action
as closed .
as The resolution will be set. Next status will be 'closed'.
to The owner will be changed from rjollos. Next status will be 'closed'.
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.