[mythtv] Heads up: Smart playlists in MythMusic

Matt Zimmerman mdz at debian.org
Mon Jan 26 21:41:35 EST 2004


On Mon, Jan 26, 2004 at 03:43:49PM -0700, Steele Price wrote:

> Embedding a WHERE clause is pretty safe here. If it's invalid its just
> going to barf it, so test for an invalid response.

Parsing SQL is non-trivial, but the likelihood of an invalid expression
doing anything harmful is pretty low.

> If you are worried about SQL Injection, you can add a security test for
> that which is alot faster than the parser would be.

The database is our configuration store; it is trusted.  So as long as that
WHERE clause is built up through a dialog and not supplied by the user,
there's no problem.

-- 
 - mdz


More information about the mythtv-dev mailing list