moodleou / moodle-report_customsql

A Moodle report plugin that lets you easily create simple reports that can be expressed as a single SQL query
48 stars 101 forks source link

Cannot create a query which includes some keywords #117

Closed TomoTsuyuki closed 2 years ago

TomoTsuyuki commented 2 years ago

Hi,

I just used this plugin and found one query couldn't be saved and run.

Error shows: You are not allowed to use the words ALTER, CREATE, DELETE, DROP, GRANT, INSERT, INTO, TRUNCATE, UPDATE in the SQL.

I checked the query and found there is 'grant' in the where clause. The query is something like: SELECT * FROM {user} WHERE email = 'grant.smith@test.com'

timhunt commented 2 years ago

Correct. This is a security feature. (And one we know is liable to have false positives, but better safe than sorry.)

If you need to do this, do something like WHERE email = CONCAT('gran', 't.smith@test.com')

Or, put in the email address using a placeholder.