See the Mailing Lists Page for how to subscribe and unsubscribe.
eprints_tech messages
Please note: this page shows emails that have been sent to the eprints_tech mailing list. Some of these may be spam emails we have failed to filter.
[EP-tech] security hole and expensive indexing
From: "Roman Chyla" <roman.chyla AT gmail.com>
Date: Mon, 19 May 2008 14:47:47 +0200
| Threading: | • This Message → Re: [EP-tech] security hole and expensive indexing from tdb01r AT ecs.soton.ac.uk → Re: [EP-tech] security hole and expensive indexing from roman.chyla AT gmail.com → Re: [EP-tech] security hole and expensive indexing from tdb01r AT ecs.soton.ac.uk |
*** ↵ http://www.eprints.org/tech.php/id/%3Cea0115e90805190547o4d84bdb2yec2625bbaf255415%40mail.gmail.com%3E *** EPrints community wiki - http://wiki.eprints.org/ Hi, i am in a process of fixing EPrints for us. I am hoping to give you some feedback over time. This one is a severe security hole: generally a very bad idea to do: $sql = "INSERT INTO $indextable (fieldword,pos,ids ) VALUES ('$fieldword',$n,':$objectid:')" $session->get_database->do( $sql ) should be done as: $sql = "INSERT INTO $indextable (fieldword,pos,ids ) VALUES (?,?,?)" $session->get_database->do( $sql, $fieldword, $n, $objectid ) even if EPrints *sometimes* does the Database::prep_value($value) - taht function does not care for anything but backslashes prone to this error: everything in EPrints, especially fulltext indexing ---- and also, the indexing is very CPU intensive (for many reasons) one of them is this: $session->get_database->do( $query) it would be much much better to do: my $q = $dbh->prepare("statement") and then only in the loop $q->execute() all the best, roman
[index] [prev] [next] [options] [help]