Originally Posted by Ben
Good work, seems to be an interesting plugin.
Eventhough this was just sample code, would you mind validating and escaping all external input, e.g. here to validate $_REQUEST['id'] for beein just numbers or characters what ever will be the right syntax, and if the valid charset could lead to sql injection or similar, you should escape it additionally.
Btw this should happen for all data that you can not control, in this case also for data you gather from and to the exchange side.
Yes, we knows that. In all forms, we put validators, and when we extract data from Exchange (ActiveDirectory) we also validate the format.
We try our best, but we will also need other "eyes" to be sure that all is conform for ISPConfig and the security.