Enabling/Disabling Data Alteration Operations and Other Security Considerations
The mashable operations that have security implications include those that can alter data and those finders that use raw SQL rather than prepared statements. You manage these operations for the database mashable as a whole, rather than for individual tables or views.
By default MashZone NextGen generates mashable operations to insert, update or delete records for each table. You can disable any of these operations for all tables in the mashable.
The following finders are not generated by default. You can choose to enable these operations:
Dynamic Finder = the
findtable-nameWhere operation. This executes a WHERE clause defined as a parameter.
Dynamic Select = the
selecttable-name operation. This executes a SELECT statement for the given table and optional WHERE clause defined as parameters.
These finders are very flexible, allowing you to perform arbitrary SQL commands. However, they are vulnerable to SQL injection attacks and thus a potential security risk.
See Arbitrary SQL Queries for Database Mashables for more information. Administrators can also completely disable the use of these operations for new database mashables using MashZone NextGen Server configuration.
1. Select the Database Service folder to configure operations with security implications for this database mashable,
2. Clear or set any of the options to disable or enable specific operations for all the tables and views in this database mashable.
3. Click Save.