Re: [xwiki-users] [Security Advisory] SQL injection issue.

Having read some of the comments here, this is my 0.02€: I feel that a generic method like seacrhDocuments is way too dangerous, because, as stated in the comments, malicious SQL can be inserted easily. Furthermore, if you try to escape certain characters, you might run into problems when such a character is part of any XWiki-object. Therefore, I'd rather have some specialized methods handy, internally based on PreparedStatements then such a generic problematic method. I'm aware that there are backward-compatibility-issue, also I'm aware that such a concept soesn't come as handy as a generic method, but better be safe than sorry.... Cheers Gregor -- just because you're paranoid, don't mean they're not after you... gpgp-fp: 79A84FA526807026795E4209D3B3FE028B3170B2 gpgp-key available @ http://pgpkeys.pca.dfn.de:11371 @ http://pgp.mit.edu:11371/ skype:rc46fi