before you would insert a query like
table.field='value' and table.otherfield='othervalue' (SQL)
with the new one would insert
(db.table.field=='value') & (db.table.otherfield=='othervalue')
(web2py)
The former was vulnerable to SQL injections. The new one is vulnerable
to arbitrary code execution. This in not a major problem since
appadmin access is always restricted to the administrator but, if the
administrator does not know what he is doing and he types db.table.drop
() he would delete his own table.
I like using the web2py notation since the SQL notation is backend
dependent.
The change is ONLY in appadmin
Massimo
On Dec 7, 9:45 pm, "Yarko Tymciurak" <[EMAIL PROTECTED]> wrote:
> can you give an example of what the change looks like?
>
> On Sun, Dec 7, 2008 at 7:42 PM, mdipierro <[EMAIL PROTECTED]> wrote:
>
> > I posted yet another version of T3. This one can handle/upload static
> > files and has a version of appadmin that works on GAE (when the
> > expression has an equivalent on GAE)
>
> > Should this new version of appadmin be made standard?
>
> > It introduces a change. The query string is no longer SQL but web2py-
> > ese. This will not break anybody's code so it should not considering
> > breaking backward compatibility.
>
> > All in favor? All opposed?
>
> > Massimo
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"web2py Web Framework" group.
To post to this group, send email to web2py@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/web2py?hl=en
-~----------~----~----~----~------~----~------~--~---
