[Date Prev][Date Next][Thread Prev][Thread Next][Minivend by date
][Minivend by thread
]
Re: question abouMV and SQL security
****** message to minivend-users from mikeh@minivend.com ******
Quoting Ace Kumar (ace@digiknow.com):
>
> I'm running a few catalogs (MV 3.11) w/ SQL
>
> One thing i noticed is that if I do a search using st=sql&sq=<WHATEVER>,
> if someone changes the <WHATEVER> to, say,
> UPDATE products SET price = '1.00' WHERE code = '22'
> then the price *will* get updated.
>
> It seems that the user who runs minivend needs to be in (my case) the
> msql.acl file to be allowed to write to the database.
>
> So, is there anything in MV3.12 that prevents using any SQL statement
> *exscept* SELECT? Has anybody alread patched their MV to do this?
>
There is no reason MiniVend needs write permission once the database
is built, but...this should probably be in there.
In Scan.pm, right below
if($options->{sql_query}) {
put
if ($options->{sql_query} !~ /^\s*select\s+/i) {
::logError("Security -- attempt to use non-select on SQL search\n");
die "Security violation -- attempt to use non-select on SQL search\n";
}
If anyone knows a reason a search would not be only a SELECT, let me know
and I will take it out of 3.12.
--
Mike Heins http://www.minivend.com/ ___
Internet Robotics |_ _|____
Fast, reliable, cheap. 131 Willow Lane, Floor 2 | || _ \
Pick two and we'll talk. Oxford, OH 45056 | || |_) |
-- unknown <mikeh@minivend.com> |___| _ <
513.523.7621 FAX 7501 |_| \_\
-
To unsubscribe from the list, DO NOT REPLY to this message. Instead, send
email with 'UNSUBSCRIBE minivend-users' in the body to Majordomo@minivend.com.
Archive of past messages: http://www.minivend.com/minivend/minivend-list
