Alert for SQL Injection in URL : manager.fcgi/notifications/actives?groupBy=substr(uid,1)
Summary
I wish that another word would be used to filter notification's display behavior
Design proposition
The actual design triggers URL protection. We have alerts about potential SQL injection because of the used semantic. I've take a look at the code and it seems to be safely handled. But I'm no Perl expert. Still, automated inspection are not happy with it. And it's a little scary to see SQL keyword as URL parameters.
Maybe, you could wrap those as simple parameters : sort=(group|order)&sort_parameter=uid&length=1
Regards, Clément