Thx. Good point.
http://xkcd.com/327/
---
Rb "bobby drop tables"
On Aug 17, 11:58 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
> You are sending via xmlrpc a string and the tring is eval-ed on the
> server. A malicious client could send a string like "os.system('rm -f
> *')" instead of a database query.
>
> Massimo
>
> On Aug 18, 1:09 am, rb <rbspg...@gmail.com> wrote:
>
> > I don't see why it would be "dangerous." If the rowSelectStr is empty
> > then all rows are selected. Otherwise, (and it is not shown above) the
> > string of the list of table fields to compare for row selection is
> > created programmatically from column definitions. At no time is user
> > input directly used to generate the rowSelectStr or the colSelectStr
> > (the keySegValues which come from the record object are first verified
> > when the values are inserted into the record object - no invalid data
> > is allowed to be inserted). I just have to remember not to include the
> > "db." prefix in the rowSelectStr creation and to include the "db."
> > prefix in the colSelectStr creation.
>
> > At least, that's my (current) understanding.
>
> > --
> > Rb
>
> > On Aug 17, 2:30 pm, mdipierro <mdipie...@cs.depaul.edu> wrote:
>
> > > It is not a bug.
>
> > > db(query)
>
> > > query can be a DAL query or a SQL query (string).
>
> > > mind that what are you doing is dangerous unless you have a way to
> > > restrict who can access that xmlrpc function to the administrator.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py-users" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to
web2py+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
