How prepare variables with quote before MySQL statements?

This is something we just can't support. This is the equivalent of opening up your computer and breaking the seal that says "No user serviceable parts beyond this point!".

Exposing your cron table to front end users is a REALLY BAD IDEA, no matter how you do it. As soon as you allow anyone to modify the params, they could execute any arbitrary PHP code at a privileged level. Yes, I'm sure you could come up with ways to guard against that, but unless you are a Fabrik / PHP / MySQL Black Belt Ninja Warrior, there's a good chance you'd fail to anticipate something Really Bad <tm>.

-- hugh
 
Hi, Hugh.

I agree, I am not a "Fabrik / PHP / MySQL Black Belt Ninja Warrior" :) able to prevent problems (not at the present time, but why do you think that I will not be in the future?) :) :) :)

Precisely to avoid to give access to back-end to people (a lot of them, inexperienced) giving them the Superuser access, I need a table and a Fabrik list and form to:
- modify only some parameters:
all Schedule: label, frequency, unit, status (only Published/Unpublished)​
email Plug-in: subject, message​
- show (as read-only) only some other parameters
plugin, last run​
So, people with appropriate permissions can manage the operation, not the logic/the most important parameters.
You can imagine that people (with appropriate permissions) want to easily change parameters I listed as modifiable (especially subject and message); they must be autonomous in changing them, otherwise they will ask me every time o_O
 
You must log in or register to reply here.

Useful links

  • Create a Fabrik Account (Downloads)
  • Create a Forum Account
  • Fabrik Wiki
  • Fabrik 4 Changelog /Install /Upgrade
    • We are in need of some funding.
    More details.

    Thank you.

    Members online

    No members online now.
    Total: 195 (members: 1, guests: 194)
    Back
    Top