@@ -18,7 +18,7 @@ |
|
|
!! SQL injection
|
-A malicious user might try to inject code into the SQL database (Postgres, MySQL etc). Each database engine requires a different version of an attack to present viable SQL. Invalid SQL will result in an error report to the administrator. A 'White Screen', claiming that you are running Bitweaver in test mode, is only returned when the parameter -+IS_LIVE+- set to -+TRUE+- in kernel/config_inc.php. Sites being in production are expected to have set this to -+FALSE+-, while error reports are directed to appropriate error log files.
|
+A malicious user might try to inject code into the SQL database (Postgres, MySQL etc). Each database engine requires a different version of an attack to present viable SQL. Invalid SQL will result in an error report to the administrator. A 'White Screen', claiming that you are running Bitweaver in test mode, is only returned when the parameter -+IS_LIVE+- set to -+FALSE+- in kernel/config_inc.php. Sites being in production are expected to have set this to -+TRUE+-, while error reports are directed to appropriate error log files. |
|
In the past, some of Bitweaver's search functions allowed the inclusion of additional SQL -+WHERE+- clauses. This was not database agnostic and has been replaced. Now, additional search options build the SQL internally, preventing any possible injection attack.
|
|
|
|