Issue status update for http://drupal.org/node/24957 Project: Drupal Version: 4.6.0 Component: watchdog.module Category: feature requests Priority: normal Assigned to: Anonymous Reported by: pyromanfo Updated by: pyromanfo Status: patch Would moving it to the standard POST query paramater fix it? pyromanfo Previous comments: ------------------------------------------------------------------------ June 14, 2005 - 01:34 : pyromanfo Attachment: http://drupal.org/files/issues/watchdog_search.patch (2.75 KB) This patch allows you to search the watchdog log for some text in the hostname, user or the message itself. Also if you enter a severity, 'error','warning','notice' it'll filter by that. Works in tandem with the dropdown filter box. ------------------------------------------------------------------------ June 19, 2005 - 20:30 : Dries These queries are not secure. If someone manages to extend an administrator's session information (through a bug elsewhere), they would be able to execute SQL queries.

Issue status update for http://drupal.org/node/24957 Post a follow up: http://drupal.org/project/comments/add/24957 Project: Drupal -Version: 4.6.0 +Version: cvs Component: watchdog.module Category: feature requests Priority: normal Assigned to: Anonymous Reported by: pyromanfo Updated by: killes@www.drop.org -Status: patch (code needs review) +Status: patch (code needs work) lots of it. *shudder* killes@www.drop.org Previous comments: ------------------------------------------------------------------------ Tue, 14 Jun 2005 01:34:19 +0000 : pyromanfo Attachment: http://drupal.org/files/issues/watchdog_search.patch (2.75 KB) This patch allows you to search the watchdog log for some text in the hostname, user or the message itself. Also if you enter a severity, 'error','warning','notice' it'll filter by that. Works in tandem with the dropdown filter box. ------------------------------------------------------------------------ Sun, 19 Jun 2005 20:30:45 +0000 : Dries These queries are not secure. If someone manages to extend an administrator's session information (through a bug elsewhere), they would be able to execute SQL queries. ------------------------------------------------------------------------ Mon, 20 Jun 2005 14:13:05 +0000 : pyromanfo Would moving it to the standard POST query paramater fix it? ------------------------------------------------------------------------ Tue, 21 Jun 2005 18:32:53 +0000 : Dries I wouldn't fix the problem. The solution is to properly use the dababase API. That is, to use the '%s' and %d directives.