Currently, some of the functions making SQL queries use string substitution or .format(). These functions require a security review and should either a) be altered so that they receive all of their variable values from the server (which in turn receives safe values) or b) be altered so as to eliminate insecure variable substitutions. Of particular concern are the functions called in views/public.py.
Currently, some of the functions making SQL queries use string substitution or .format(). These functions require a security review and should either a) be altered so that they receive all of their variable values from the server (which in turn receives safe values) or b) be altered so as to eliminate insecure variable substitutions. Of particular concern are the functions called in views/public.py.