There is already an option to have password crypted into database (menu security - encrypt password)
Also you suggest to use a method to sanitized sql request parameters. Using such a function to clean sql parameters is already done. The function is called db->escape (a method of mysql.class.php). Port to use it step by step was started few years ago. In a future the continuous integration platform should also be able to cry when escaping parameters will be forgotten. 2013/11/3 Philip Lehmann-Böhm <phi...@philiplb.de> > Hi, > > (sorry, I don't know how to reply directly to the existing thread: > http://lists.nongnu.org/archive/html/dolibarr-dev/2013-10/msg00003.html ) > > This just blew my mind a bit. In this topic, especialy the denial of > starting to use parametrized queries. > And that the password is stored in plain text in the database is a no go. > > And the statement, that everything of the quoted website has been fixed > is not true. I run a freshly installed Dolibarr 3.4.1 and the passwords > are indeed available in plain text! > > I'm willing to help here and this is what I propose: > - Are there plans to drop the plain password column? Has this already > happened in the next version? This goes to much in the core of Dolibarr, > so I won't be able to patch this in a meaningful timespan. > > - Not using prepared statements is a no go as well. I'd add support for > them in the mysql.class.php (not familiar with the others) with a > function like this: > function parametrizedQuery($query, $params, $usesavepoint=0,$type='auto') > And then start to port the code to use it step by step and making some > pull requests. > > What do you think? Would this be a way to go? > > Best Regards > Philip > > _______________________________________________ > Dolibarr-dev mailing list > Dolibarr-dev@nongnu.org > https://lists.nongnu.org/mailman/listinfo/dolibarr-dev > >
_______________________________________________ Dolibarr-dev mailing list Dolibarr-dev@nongnu.org https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
