timhunt
commented
1 year ago The list of forbidden workds is https://github.com/moodleou/moodle-report_customsql/blob/main/locallib.php#L317.
These are checked using the simplest possible sub-string match on the whole SQL. Trying to make the checking code too 'clever' would just open the way to bugs, which would be a serious security issue, so we are not going to change it.
There are work-arounds, like if you really need 'delete' as a substring in your query, you can do that as CONCAT('del', 'ete').
Hi,
When trying to run a query with the in operator (e.g. select * from prefix_course where shortname in ...), I get an error about not been able to use create, drop, insert,... and so on in the statement. None of these exist in it, but it is a long list of about 40,000 strings.
Are there any characters that should not be in the string even if every entry is double-quoted and need to be escaped? Is there a limit on the number of items on the list?
Regards, George