Is there any good reason why "BOLTid" and not "find" is being checked for BOLTadmin priveleges?
I'm trying to use BOLTauth for my mysql plugin, where the priveleges are not BOLTuser based, but mysql user based. I'm trying to get another plugin which uses mysql to abort if the mysql user supplied is invalid. However, since I'm a superuser, I'm apparently allowed to use this mysql user from any page. So, assume I have a guest area, say, docs. A user then writes "[(mysql root "DROP * FROM *")]" and then tricks me into viewing this page. I bypass all my own checks and destroy all my mysql information. Solution: BOLTauth should always check permissions for that which is sent. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "BoltWire" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/boltwire?hl=en -~----------~----~----~----~------~----~------~--~---
