Context Navigation

Modify ↓

#11048 closed defect (fixed)

String formatting is used to prepare SQL statements

Reported by:	Ryan J Ollos	Owned by:	Ryan J Ollos
Priority:	normal	Component:	PrivateReportsPlugin
Severity:	normal	Keywords:	sql string formatting
Cc:		Trac Release:

Description

String formatting is used to prepare SQL statement, which opens up the possibility of SQL injection and cross-DB compatibility problems. Proper use of the Trac database API is described in t:TracDev/DatabaseApi#RulesforDBAPIUsage.

Is the plugin still being maintained? I'd be happy to fix these issues if the plugin author approves. I'll proceed if there is no response in two weeks, per the AdoptingHacks policy.

Attachments (0)

Change History (3)

comment:1 Changed 11 years ago by Ryan J Ollos

Keywords:	sql string formatting added

comment:2 Changed 11 years ago by Ryan J Ollos

Owner:	changed from Michael Henke to Ryan J Ollos
Status:	new → assigned

comment:3 Changed 11 years ago by Ryan J Ollos

Resolution:	→ fixed
Status:	assigned → closed

(In [13047]) Fixes #11048: Removed string formatting for preparing SQL and replaced with proper use of the Trac database API. These changes should prevent the possibility of SQL injection and improve cross-DB compatibility.

Modify Ticket

Change Properties

Summary:
Type:	Priority:
Component:	Severity:
Keywords:	Cc:	Set your email in Preferences
Trac Release:

Action

leave as closed The owner will remain Ryan J Ollos.

reopen The resolution will be deleted. Next status will be 'reopened'.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences.

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: