SQL injections in query() and search()
|Date: 2012-12-13 14:06:17||Priority: Critical|
: Cadre Bugs
Most essentially these occur because ` isn't controlled, so a script/template author can do arbitrarily bad things to the database (and a user might be able to exploit sloppy code). It was never the intention that admin-grade responsibility should be necessary for writing code, thus this needs to be mitigated.
This will probably remain unfixed until there's an initial release.