Hi, (sorry, I don't know how to reply directly to the existing thread: http://lists.nongnu.org/archive/html/dolibarr-dev/2013-10/msg00003.html )
This just blew my mind a bit. In this topic, especialy the denial of starting to use parametrized queries. And that the password is stored in plain text in the database is a no go. And the statement, that everything of the quoted website has been fixed is not true. I run a freshly installed Dolibarr 3.4.1 and the passwords are indeed available in plain text! I'm willing to help here and this is what I propose: - Are there plans to drop the plain password column? Has this already happened in the next version? This goes to much in the core of Dolibarr, so I won't be able to patch this in a meaningful timespan. - Not using prepared statements is a no go as well. I'd add support for them in the mysql.class.php (not familiar with the others) with a function like this: function parametrizedQuery($query, $params, $usesavepoint=0,$type='auto') And then start to port the code to use it step by step and making some pull requests. What do you think? Would this be a way to go? Best Regards Philip _______________________________________________ Dolibarr-dev mailing list Dolibarr-dev@nongnu.org https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
