It outputs a matrix of user avatars. But...does this create an opportunity for SQL injection? In other words, could a mischievous user jigger the sqlquery passed to drop tables, etc.?
I don't know enough about this to know one way or another.
If you pass the whole sql string you of course expose the site to SQL injections. You could change the statment and delete something, add a user or whatever you like.
If you do it the way, I proposed you should be fine.
You also can hide the whole query by either using POST instead or GET. I am not sure which on, was the right on. Just give it a try.
Do me a favour an go to www.st-sebastian-beckum.de and click on the green image, which says TOP 50 and vote for the page. Thanks!
Thanks Caspar, I'll follow your advice. I just released a beta of the module in another thread.
I want to turn it into a component, but apparently it's easy to construct the backend interface for a module through the XML setup file, but for a component, you have to build the backend interface through code.