openerp-expert-framework team mailing list archive

Thread
Date

openerp-expert-framework team
Mailing list archive
Message #00070

SQL Injection issues

To: Openerp Expert Framework <openerp-expert-framework@xxxxxxxxxxxxxxxxxxx>
From: Sharoon Thomas <sharoonthomas@xxxxxxxxxxxx>
Date: Wed, 16 Dec 2009 09:39:52 +0000

Hi All,

SQL injection when using cursor.execute is one of our major issues and
concerns today.
For example:
A merge proposed last day is again subject to the same issue: (Refer:
https://code.launchpad.net/~frederic-declercq/openobject-addons/addons-fu/+merge/16205
)

I found the last major fight here:
https://bugs.launchpad.net/openobject-server/+bug/422563 and the guidelines
here:
http://doc.openerp.com/contribute/developing_modules.html?highlight=sql%20injection#security

But I am not sure it works the way we want.

Can this community publish some guidelines abut how to avoid these issues in
the code?

Regards
-- 
Sharoon Thomas
Business Analyst & ERP Consultant
http://bit.ly/5FAJKU