Advanced Data Table – unsafe SQL

Hi @martin4nbi,

Sorry for the inconvenience caused and the late reply.
Once you have run the DROP SQL query then the Table will be dropped.

And currently, we don’t have an option for preventing the author or any users from adding SQL queries. Once any SQL query will add then that will work.

Hope you understand. Thanks!

Wow, so the “Advanced Data Table” is potentially very dangerous.

Is it disabled by default when you activate your plugin? Have you warned about this potential danger in the documentation?

Hi @martin4nbi,

Actually, this is not dangerous. This SQL command can run only by site Admin. Or if you give role permission for editing the Page with Elementor.
The users who have permission for editing Elementor pages. They can do it easily after login into the dashboard. So you need to restrict accordingly for the Elementor page editing option.

Moreover, as this is a pro feature, according to the WordPress rules we can’t discuss more this here. If you have any other queries please reach us here.

Our team will help you. Don’t worry. Thanks!

The Advanced Data Table is listed as #36 under the heading “50+ FREE WIDGETS AND COUNTING” on your main EAEL WordPress plugin page here. (It is not listed under the “MORE ELEMENTS (35+) ON PREMIUM VERSION” section.) Is that page incorrect?

This widget is dangerous. Any page author allowed to use Elementor can use the Advanced Data Table. I have verified this in my testing. That’s why I asked if the Advanced Data Table widget is enabled by default. Could you please reply to that?

• This reply was modified 2 years, 10 months ago by martin4nbi.

Hi @martin4nbi,

Actually, in the Advanced-Data Table widget, some features are free and some are Pro. Check this screenshot. Here read-mark four features are our Pro feature and the rest two are the free features.

As this widget has a free feature that’s why we kept it in the Free widget section. And you are asking for the Pro feature.

However, thanks for your valuable suggestions. I will discuss this with our Dev Team. Hopefully, we will fix this issue in our upcoming few releases. Once we have fixed this issue, we’ll inform you. Please allow us time.

Have a good day!

Thank you for the update Rasel.

At a minimum, it would be prudent for the Dev Team to validate the SQL expression and only allow “SELECT” statements, which is a simple thing to do. That would prevent destructive actions. (But it would not prevent queries of data from other sites in a multi-site network.)

As it is right now, I think that any “author” with access to the “pro” version could wreak havoc even if they don’t have full permission to publish their own posts, because they can use the post “preview” feature to execute the SQL and view the page.

@martin4nbi,

Hi, there. We have pushed a new update today for EA Advanced Data Table widget which will take care of the issue you have reported.

Thank you!

Thank you. I appreciate the quick update. I’ve upgraded to the latest version.