This module has enormous security holes in it. It has the ability to update a number of different areas.
To start with, there is almost no validation in this module. I added some while I was in it fixing other code but a lot more work needs to be done. Even worse, there is no check for any permissions in this module - meaning anyone who knows the module's URL can easily screw up a lot of stuff in the database.
The module really should be rewritten, but at a minimum it needs to ensure the caller is authorized to perform the actions in the module and all the values passed into it need to be validated.
This module has enormous security holes in it. It has the ability to update a number of different areas.
To start with, there is almost no validation in this module. I added some while I was in it fixing other code but a lot more work needs to be done. Even worse, there is no check for any permissions in this module - meaning anyone who knows the module's URL can easily screw up a lot of stuff in the database.
The module really should be rewritten, but at a minimum it needs to ensure the caller is authorized to perform the actions in the module and all the values passed into it need to be validated.