Sounds like a nasty security issue for me.
Also, I would like to say (at the risk of crashing and burning) that I don't think it is a great idea to be using SQL queries of any kind between the frontend/clients and the backend. I would say a good goal to set for the project is to create an interface that can be used to fully manage myth.
I know there is heaps of legacy code and a couple of reasons for having SQL in there atm and people have pro'd and con'd them all, but as a person who would like to write a client of sorts, I would prefer to have the defined interface to play with as opposed to a *whole* DB.
I hope that sounded positive to the devs. It was meant to be.
Whytey
On 4/27/05, Simon Kenyon <[EMAIL PROTECTED]> wrote:
On Wednesday 27 April 2005 05:21, David Shay wrote:
> As discussed on IRC last night, here is a patch to provide a generic SQL
> service through the myth protocol. This will be helpful to external
> programs such as mvpmc and now mythroku which cannot easily access mysql
> directly, and also allows for generic database access (non-mysql). These
> programs can use this for things like accessing the commercial cutlist,
> etc.
>
> I didn't bump the protocol version, since it is an extension, but I could
> submit a patch with that included if you want.
>
> The new protocol command is QUERY_SQL, and it accepts any valid SQL command
> after that. For instance:
>
> QUERY_SQL SELECT sourceid,lineupid from videosource;
what security is associated with this?
is it a mechanism for injecting malicious SQL into the db?
regards
--
simon
_______________________________________________
mythtv-dev mailing list
mythtv-dev@mythtv.org
http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-dev
--
--
GMAIL is 'da bomb baby....YEAH
I have GMail invites, if you want one, email me direct.
_______________________________________________ mythtv-dev mailing list mythtv-dev@mythtv.org http://mythtv.org/cgi-bin/mailman/listinfo/mythtv-dev
