You probably thought on the little Bobby Tables when writing this email...
http://xkcd.com/327/
Le 23 mars 2013 01:35, "Philippe Verdy" <verdy_p_at_wanadoo.fr> a écrit :
> And how many web forms forget to check the presence of a percent sign
> and are executing SQL searches without cheking it using clauses
> similar to "WHERE table.field LIKE :parameter" by binding directly the
> submitted form value to the "parameter" variable placeholder, ignoring
> the fact that the percent sign in the right operand of a LIKE is
> parsed specially by the SQL engine ?
>
> Same thing about programs using submitted values directly (or
> concatenatng them) to create any kind of regular expressions, or to
> generate a SQL statement (with the security issue of possible SQL
> injection to retrieve confidential data, by terminating the query
> statement with a quote, a semicolon, and initiating a seonf statement
> which could even drop the full database or alter any other tables in
> that database ?).
>
> 2013/3/22 Stephan Stiller <stephan.stiller_at_gmail.com>:
> >
> >> This one is incredible:
> >>
> >> https://bugzilla.redhat.com/show_bug.cgi?id=922433
>
>
Received on Sat Mar 23 2013 - 04:25:50 CDT
This archive was generated by hypermail 2.2.0 : Sat Mar 23 2013 - 04:25:51 CDT