before you would insert a query like table.field='value' and table.otherfield='othervalue' (SQL)
with the new one would insert (db.table.field=='value') & (db.table.otherfield=='othervalue') (web2py) The former was vulnerable to SQL injections. The new one is vulnerable to arbitrary code execution. This in not a major problem since appadmin access is always restricted to the administrator but, if the administrator does not know what he is doing and he types db.table.drop () he would delete his own table. I like using the web2py notation since the SQL notation is backend dependent. The change is ONLY in appadmin Massimo On Dec 7, 9:45 pm, "Yarko Tymciurak" <[EMAIL PROTECTED]> wrote: > can you give an example of what the change looks like? > > On Sun, Dec 7, 2008 at 7:42 PM, mdipierro <[EMAIL PROTECTED]> wrote: > > > I posted yet another version of T3. This one can handle/upload static > > files and has a version of appadmin that works on GAE (when the > > expression has an equivalent on GAE) > > > Should this new version of appadmin be made standard? > > > It introduces a change. The query string is no longer SQL but web2py- > > ese. This will not break anybody's code so it should not considering > > breaking backward compatibility. > > > All in favor? All opposed? > > > Massimo --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "web2py Web Framework" group. To post to this group, send email to web2py@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/web2py?hl=en -~----------~----~----~----~------~----~------~--~---