It looks perhaps like the plugin is _very_ insecure. It seems to be passing in all input to GT::SQL which is why you have d and s - I assume d is the dynamic parameter and s...hmm i'm not sure, but anyway that is what I think is happening.
This bug means I could change my user status to admin if I wanted (if it works the same way on the UPDATE query).
You should check the plugin perl module to see what the code looks like. Post it here if you are unsure.
This bug means I could change my user status to admin if I wanted (if it works the same way on the UPDATE query).
You should check the plugin perl module to see what the code looks like. Post it here if you are unsure.