Hi,
As Christophe pointed out there are lot of SQL queries using cr.execute.
Most of them in osv.osv objects are subject to sql injection. Example:line 148 in the diff
I think you need to change them if this has to be usable.
Refer lp:422563 for further details of how your methods may be exploited
Also refer: http://doc.openerp.com/contribute/developing_modules.html?highlight=sql%20injection#security (Not sure this is efficient enough though)
« Back to merge proposal
Hi,
As Christophe pointed out there are lot of SQL queries using cr.execute.
Most of them in osv.osv objects are subject to sql injection. Example:line 148 in the diff
I think you need to change them if this has to be usable.
Refer lp:422563 for further details of how your methods may be exploited
Also refer: http:// doc.openerp. com/contribute/ developing_ modules. html?highlight= sql%20injection #security
(Not sure this is efficient enough though)