[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Question: is this exploitable?

To: "Paulo Pereira" <pjp@paulo-pereira.net>
Subject: Re: [Full-Disclosure] Question: is this exploitable?
From: merlyn@stonehenge.com (Randal L. Schwartz)
Date: 18 Oct 2003 07:16:13 -0700

>>>>> "Paulo" == Paulo Pereira <pjp@paulo-pereira.net> writes:

Paulo> $sth = $dbh->prepare("insert into projects values(null,\"$project\")");

This clearly should have been:

  my $sth = $dbh->prepare("insert into projects values(null, ?)");
  $sth->execute($project);

which will Do The Right Thing.

Placeholders, people.  Placeholders.
-- 
Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
<merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/>
Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Question: is this exploitable?
  - From: John Sage <jsage@finchhaven.com>

References:
- [Full-Disclosure] Question: is this exploitable?
  - From: "Paulo Pereira" <pjp@paulo-pereira.net>

Prev by Date: Re: [Full-Disclosure] Question: is this exploitable?
Next by Date: RE: [Full-Disclosure] NASA.GOV SQL Injections
Previous by thread: Re: [Full-Disclosure] Question: is this exploitable?
Next by thread: Re: [Full-Disclosure] Question: is this exploitable?
Index(es):
- Date
- Thread