[AppDB] Allow filtering by licence in downloads list
Alexander Nicolaysen Sørnes
alex at thehandofagony.com
Sun Jan 21 14:16:30 CST 2007
Søndag 21 januar 2007 19:44, skrev Chris Morgan:
> On 1/21/07, Alexander Nicolaysen Sørnes <alex at thehandofagony.com> wrote:
> > Søndag 21 januar 2007 19:16, skrev Chris Morgan:
> > > On 1/21/07, Alexander Nicolaysen Sørnes <alex at thehandofagony.com> wrote:
> > > > Allow filtering by licence in the dwnloadable apps list.
> > > >
> > > >
> > > > Regards,
> > > >
> > > > Alexander N. Sørnes
> > >
> > > This change introduces a potential sql exploit because you are putting
> > > values into the sql text and not adding a '?' and passing the value as
> > > a separate parameter where it is escaped. We should probably use the
> > > standard binding format so we don't have any risk of adding sql
> > > exploits.
> > It is not an exploit, because it uses the return of checkLicense(), which
> > returns a valid licence name only.
> > > Chris
> Ahh, yes you are correct. If it isn't too difficult we really should
> pass it as a parameter so there isn't any question of whether along
> the line the variable was somehow cleaned. Consider if the code is
> modified to use user related input at some point.
Here is the new version.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4827 bytes
Desc: not available
Url : http://www.winehq.org/pipermail/wine-patches/attachments/20070121/2e6a2890/dllist-licence.bin
More information about the wine-patches