And how many web forms forget to check the presence of a percent sign
and are executing SQL searches without cheking it using clauses
similar to "WHERE table.field LIKE :parameter" by binding directly the
submitted form value to the "parameter" variable placeholder, ignoring
the fact that the percent sign in the right operand of a LIKE is
parsed specially by the SQL engine ?
Same thing about programs using submitted values directly (or
concatenatng them) to create any kind of regular expressions, or to
generate a SQL statement (with the security issue of possible SQL
injection to retrieve confidential data, by terminating the query
statement with a quote, a semicolon, and initiating a seonf statement
which could even drop the full database or alter any other tables in
that database ?).
2013/3/22 Stephan Stiller <stephan.stiller_at_gmail.com>:
>
>> This one is incredible:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=922433
Received on Fri Mar 22 2013 - 19:30:25 CDT
This archive was generated by hypermail 2.2.0 : Fri Mar 22 2013 - 19:30:27 CDT