On Nov 16, 2006, at 11:51 AM, Derek Wright wrote:
a) submitted patches for those 4.7.x porting issues so we can add a DRUPAL-4-7 branch
i went on a rampage and decided to tackle this. the interested reader is encouraged to review the following 4 issues/patches: http://drupal.org/node/40661 http://drupal.org/node/40660 http://drupal.org/node/68274 http://drupal.org/node/98457 the only way to get to the UI for #40660 is to either a) know the full URLs or b) just apply #40661 (since it fixes the admin/database overview page which provides all the links). all 4 patches apply independently of each other, but if you want a fully working 4.7.x port, you need all 4. i had to do some major surgery for the FAPI conversion. however, i didn't go through the whole module, line by line, to audit for problems -- i was just trying to fix the known-bugs. so, there are still some missing t(), some improper theme() related stuff, some places it's looking at $_POST directly when it probably shouldn't be, and some highly scary direct SQL. however, all of the scary SQL stuff is within the admin interface, and that's all a big UI for running queries directly... so the SQL injection the admin could do to herself isn't really a threat we have to be worried about on a page that lets them type in whatever query they want into a nice textfield. ;) that said, i'd still like to take another look at all of this sometime when it's not 3:30am, and any other security-minded developers would be welcome to join me in auditing this highly powerful (and therefore dangerous) module. anyway, i believe those 4 patches are all that stands in the way of a DRUPAL-4-7 branch for dba.module. unless there are major objections or someone finds problems in my patches in the next 24 hours or so, i'm planning to commit everything, add the branch, make a DRUPAL-4-7--1-0 release tag, and create a 4.7.x-1.0 release node for it. thanks, -derek