18 Jul
2019
18 Jul
'19
8:48 a.m.
On 18/07/2019 12:21, Alan DeKok wrote:
The SQL module has always performed character escaping. I'm not sure what changed, if anything.
The short answer is that you can expose your SQL server to injection attacks by editing the "safe_characters" string in mods-config/sql/main/mysql/queries.conf
Is using parameterised queries instead anywhere on the roadmap?