30 Apr
2010
30 Apr
'10
3:56 p.m.
We do and users should, but there is a function which allows script authors to construct
queries for document names
so they are allowed to finish an HQL query. If the script author is malicious or if they
don't properly use
prepared statements then SQL can be injected into the HQL.
see XWiki.searchDocuments
http://maven.xwiki.org/site/xwiki-core-parent/xwiki-core/apidocs/com/xpn/xw…
I hope this clears up exactly what the issue is.
Caleb
Gregor Schneider wrote:
Very simple question:
Instead of manually playing cats & dogs (i.e. escaping backslashes) -
why don't you just use PreparedStatements?
Just a thought...
Rgds
Gregor