Modify

Opened 12 years ago

Closed 12 years ago

#11048 closed defect (fixed)

String formatting is used to prepare SQL statements

Reported by: Ryan J Ollos Owned by: Ryan J Ollos
Priority: normal Component: PrivateReportsPlugin
Severity: normal Keywords: sql string formatting
Cc: Trac Release:

Description

String formatting is used to prepare SQL statement, which opens up the possibility of SQL injection and cross-DB compatibility problems. Proper use of the Trac database API is described in t:TracDev/DatabaseApi#RulesforDBAPIUsage.

Is the plugin still being maintained? I'd be happy to fix these issues if the plugin author approves. I'll proceed if there is no response in two weeks, per the AdoptingHacks policy.

Attachments (0)

Change History (3)

comment:1 Changed 12 years ago by Ryan J Ollos

Keywords: sql string formatting added

comment:2 Changed 12 years ago by Ryan J Ollos

Owner: changed from Michael Henke to Ryan J Ollos
Status: newassigned

comment:3 Changed 12 years ago by Ryan J Ollos

Resolution: fixed
Status: assignedclosed

(In [13047]) Fixes #11048: Removed string formatting for preparing SQL and replaced with proper use of the Trac database API. These changes should prevent the possibility of SQL injection and improve cross-DB compatibility.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Ryan J Ollos.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.