Nick Jenkins <nickpj@...> writes:
Interesting idea!
Is there *maybe* there some kind SQL injection attack?
E.g. I saved an evil data source like so:
<data table="Companies'; insert into user set user_id = '9999', user_name = 'Nickj2', user_email = 'address@name'; insert into user_groups set ug_user = '9999', ug_group = 'sysop'; insert into user_groups set ug_user = '9999', ug_group = 'bureaucrat'; " template="Infobox company"> name=Microsoft founded=1492 revenue=$8
</data> =======================================
And then the all pages list from the table namespace only showed the 3 test tables:
http://www.kennel17.co.uk/testwiki/index.php?title=Special%3AAllpages&fr...
So that says to me that *maybe* it did something (otherwise I would expect the test 3 + this one).
This is expected behaviour under the current version. Table pages are not automatically created by the addition of data, only when a definition is added. If you enter the following wiki code to a normal page:
<data table="CompaniesNew"> name=Microsoft founded=1492 revenue=$8 </data> [[Table:CompaniesNew]]
then the link to Table:CompaniesNew would be red. Following the link will take you to edit the definition, but removing the &action=edit from the URL will show you the data. The table will not appear in AllPages until you save it.
My plan is to move the data from the bottom of the definition page, to a new 'data' tab, so even if you go to a red-linked definition it will be easy to click 'data' to view the data it contains. I also plan to add a special page called 'Missing tables' or similar. The two of these should solve the problem, but if there are any better ideas out there then I'd be interested to hear them.
Of course, I then tried to use the "reset and email me my password" function to get admin rights to see if it was working, but there was no such user :-(
The code is (I hope...) injection safe. Not FULLY tested, but the obvious cases should be covered. It certainly worked in this case :)
www.kennel17.co.uk/testwiki
I'm probably going to regret asking this, but with a hostname like that I just have to ask: What happened to kennels numbered one through sixteen inclusive?
If you got to www.kennel17.co.uk, you can see that Kennels 16 and 18 are in bad need of repair. The other kennels (in the background or out of shot) aren't up to much either, I'm afraid, so that's why I plumped for #17... :-)
Thanks for the feedback.
-- Mark Clements (HappyDog)