|
From: | Destailleur Laurent |
Subject: | Re: [Dolibarr-dev] Vulnerabilities |
Date: | Sun, 3 Nov 2013 22:11:24 +0100 |
Hi,
(sorry, I don't know how to reply directly to the existing thread:
http://lists.nongnu.org/archive/html/dolibarr-dev/2013-10/msg00003.html )
This just blew my mind a bit. In this topic, especialy the denial of
starting to use parametrized queries.
And that the password is stored in plain text in the database is a no go.
And the statement, that everything of the quoted website has been fixed
is not true. I run a freshly installed Dolibarr 3.4.1 and the passwords
are indeed available in plain text!
I'm willing to help here and this is what I propose:
- Are there plans to drop the plain password column? Has this already
happened in the next version? This goes to much in the core of Dolibarr,
so I won't be able to patch this in a meaningful timespan.
- Not using prepared statements is a no go as well. I'd add support for
them in the mysql.class.php (not familiar with the others) with a
function like this:
function parametrizedQuery($query, $params, $usesavepoint=0,$type='auto')
And then start to port the code to use it step by step and making some
pull requests.
What do you think? Would this be a way to go?
Best Regards
Philip
_______________________________________________
Dolibarr-dev mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
[Prev in Thread] | Current Thread | [Next in Thread] |