https://sourceforge.net/p/phpmysqlezedit/bugs/13/Recent changes to 13: SQL injection (security vulnerability)enWed, 24 Feb 2016 22:16:10 -0000https://sourceforge.net/p/phpmysqlezedit/bugs/13/?limit=25#a7b3<div class="markdown_content"><p>Yep. Our later applications include variable cleansing. When the upgrade for this (to mysqli, among other things) comes up, we'll likely also clean it for injection. In theory, however, this is mostly used for "the boss wants to be able to edit this table ... but we don't want her to have access to the entire system ... so here's a simple way to allow her access to this one table/DB only". Avoiding phpMyAdmin access for the boss. 8-)</p></div>TheSatinKnightWed, 24 Feb 2016 22:16:10 -0000https://sourceforge.net851d2133a2eddc2738904e56518c97a4c47ae9d8https://sourceforge.net/p/phpmysqlezedit/bugs/13/<div class="markdown_content"><p>It is trivial to perform SQL injection.</p> <p>Example input data for search field<br/> <code>foo ' or 1=1 or '</code></p> <p>Value of $SQL variable<br/> <code>select * from v_log WHERE id LIKE '%foo ' or 1=1 or '%' order by id desc limit 100</code></p> <p>Of course a bad guy would injection something more interesting</p> <p>This was tested with SVN r17</p></div>Andrew ZiemWed, 24 Feb 2016 21:30:59 -0000https://sourceforge.net03d6dd96db31c718977f17fbce638a7000eb2c10