[mythtv] Patch for generic SQL query

[David Shay]

----- Original Message ----- 
From: "Simon Kenyon" <simon at koala.ie>

> On Wednesday 27 April 2005 05:21, David Shay wrote:
> > As discussed on IRC last night, here is a patch to provide a generic SQL
> > service through the myth protocol.  This will be helpful to external
<snip>
> what security is associated with this?
> is it a mechanism for injecting malicious SQL into the db?

Well, I had considered this.  I could easily modify this so that it would
force a "SELECT" up front.  Of course, carefully crafted subqueries could
bypass that as well, so it wouldn't buy you a whole lot.

Also, any frontend already has a file on it somewhere that identifies the
mythtv sql userid and password.

Also, I would hope that in general you would not have your mythtv protocol
port exposed to the internet anyway.  You can already do enough nasty things
with the standard protocol.  I could easily write something to query all of
the recordings and then delete all of them, all without any authentication.
If security is a concern, I don't believe that this specific protocol really
adds much danger to it.  It's probably better to deal with that issue by
adding some layer of authentication into the overall protocol.

My intention with this was to first create a general protocol extension so
that any functionality that the frontend does today could be replicated by a
non-myth pseudo-frontend.  If specific things turned out to be useful, then
I would create a new protocol command to handle these specific instances -- 
I discussed that with Isaac on IRC.