Or AIki can escape strings automatically like when parser spot '(!(1)!)' or (!(1)!) it will always escape those strings. I think that ((foo)) should be escape too.
-- You received this bug notification because you are a member of Aiki Framework Admins, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/988305 Title: Aiki need escape function for SQL Status in Aiki Framework: New Bug description: Right now some sql queries can be exploited. I try on OCAL and could't execute my own query from url, but someone may find a way. Try this http://openclipart.org/user-detail/jcubic' if you are login as SystemGOD you will see error in collections if you're no login you will see only message that something is wrong so someone could use blind sql injection. So solution to prevent potential sql injection is to add escape function that can be use in sql. SELECT * from aiki_users WHERE username = 'escape((!(1)!))' new Engine will not have widget level select but will have inline sql so it should be put there or allow to execute extensions in sql like SELECT * from aiki_users WHERE username = '$aiki->db->escape((!(1)!))' To manage notifications about this bug go to: https://bugs.launchpad.net/aikiframework/+bug/988305/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~aikiframework.admins Post to : [email protected] Unsubscribe : https://launchpad.net/~aikiframework.admins More help : https://help.launchpad.net/ListHelp
