Modify ↓
Opened 12 years ago
Closed 12 years ago
#11048 closed defect (fixed)
String formatting is used to prepare SQL statements
Reported by: | Ryan J Ollos | Owned by: | Ryan J Ollos |
---|---|---|---|
Priority: | normal | Component: | PrivateReportsPlugin |
Severity: | normal | Keywords: | sql string formatting |
Cc: | Trac Release: |
Description
String formatting is used to prepare SQL statement, which opens up the possibility of SQL injection and cross-DB compatibility problems. Proper use of the Trac database API is described in t:TracDev/DatabaseApi#RulesforDBAPIUsage.
Is the plugin still being maintained? I'd be happy to fix these issues if the plugin author approves. I'll proceed if there is no response in two weeks, per the AdoptingHacks policy.
Attachments (0)
Change History (3)
comment:1 Changed 12 years ago by
Keywords: | sql string formatting added |
---|
comment:2 Changed 12 years ago by
Owner: | changed from Michael Henke to Ryan J Ollos |
---|---|
Status: | new → assigned |
comment:3 Changed 12 years ago by
Resolution: | → fixed |
---|---|
Status: | assigned → closed |
Note: See
TracTickets for help on using
tickets.
(In [13047]) Fixes #11048: Removed string formatting for preparing SQL and replaced with proper use of the Trac database API. These changes should prevent the possibility of SQL injection and improve cross-DB compatibility.