id	summary	reporter	owner	description	type	status	priority	component	severity	resolution	keywords	cc	release
6381	RPC executeQuery is open to SQL Injection	carstenklein@…	okazaki	"
Please adjust the implementation of the executeQuery Method so that it prevents SQL Injection.

Both parameters ""query"" and ""sort"" are not tested against common types of SQL Injection attacks.

E.g. providing for '''sort''' a value of e.g. ""start_time asc; DELETE FROM ticket WHERE 1=1; DELETE FROM wiki WHERE 1=1;"" would remove all of your important ticket and wiki data. Actual table names and field names may be different from the ones used in the above example, but you should get the picture.

"	defect	assigned	normal	TracDependencyPlugin	normal				0.11