Support » Plugin: Exports and Reports » Amazing ! but it needs security update

  • It is amazing, I’m surprised :clap:

    But If you put “delete” queries … it works … and it is very dangerous.

    • This topic was modified 1 week, 5 days ago by anibalardid.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Scott Kingsley Clark

    (@sc0ttkclark)

    You can select and display content from any table you want. What kind of security checks do you think should be in place? It’s a plugin that takes a query and builds a table around it that can be filtered and exported.

    I could try and add a basic string check to see if DELETE is at the start of the query but there are a number of ways to get around it I’m sure.

    The plugin is meant to let you do whatever you’d like as an admin and provide access to those reports (no direct SQL access) to people of lower roles based on access rights in WP.

    Thread Starter anibalardid

    (@jackalpret)

    If you put “delete from wp_posts” in query, it works … And it shouldn’t

    Yeah, I know it, that it is a many ways to filter and to avoid id, but maybe , add a few checks, only for a check 😉

    Plugin Author Scott Kingsley Clark

    (@sc0ttkclark)

    What about some JS that checks for the word “delete” and if it finds it, warn the person typing the query?

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this review.