[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Intresting case of SQL Injection

To: "Martin Sarsale (runa@sytes)" <runa@runa.sytes.net>
Subject: Re: Intresting case of SQL Injection
From: Markus Fischer <mfischer@gjat.josefine.at>
Date: Thu, 4 Dec 2003 23:37:58 +0100

On Thu, Dec 04, 2003 at 04:39:15PM -0300, Martin Sarsale (runa@sytes) wrote : 
> Yesterday, we found an interesting case of SQL Injection.
[...]
> The main problem here was that developers where trusting in PHP auto
> escaping which worked in MySQL (and probably PostgreSQL) but not in MSSQL.

    The main problem in fact are developers who do not read the manual
    for their language of choice[tm]. It is documented that
    magic_quotes_sybase = true
    uses the alternate escaping style needed by non-MySQL alike
    databases (eg. MSSQL).

    regards,
        - Markus

References:
- Intresting case of SQL Injection
  - From: "Martin Sarsale (runa@sytes)" <runa@runa.sytes.net>

Prev by Date: Yahoo Messenger Flaw allows injection of JavaScript into IM Windows
Next by Date: [CLA-2003:796] Conectiva Security Announcement - kernel
Previous by thread: Intresting case of SQL Injection
Next by thread: RE: Intresting case of SQL Injection
Index(es):
- Date
- Thread