[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Question: is this exploitable?

To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Question: is this exploitable?
From: John Sage <jsage@finchhaven.com>
Date: Sat, 18 Oct 2003 15:47:38 -0700

heh..

On Sat, Oct 18, 2003 at 07:16:13AM -0700, Randal L. Schwartz wrote:
> >>>>> "Paulo" == Paulo Pereira <pjp@paulo-pereira.net> writes:
> 
> Paulo> $sth = $dbh->prepare("insert into projects values(null,\"$project\")");
> 
> This clearly should have been:
> 
>   my $sth = $dbh->prepare("insert into projects values(null, ?)");
>   $sth->execute($project);
> 
> which will Do The Right Thing.
> 
> Placeholders, people.  Placeholders.


Hello, Randal! How good of you to be here!



- John
-- 
"Most people don't type their own logfiles;  but, what do I care?"
-
John Sage: InfoSec Groupie
-
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
-
ATTENTION: this entire message is privileged communication, intended
for the sole use of its recipients only. If you read it even though
you know you aren't supposed to, you're a poopy-head.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- [Full-Disclosure] Question: is this exploitable?
  - From: "Paulo Pereira" <pjp@paulo-pereira.net>
- Re: [Full-Disclosure] Question: is this exploitable?
  - From: merlyn@stonehenge.com (Randal L. Schwartz)

Prev by Date: RE: [Full-Disclosure] AT&T early warning system
Next by Date: [Full-Disclosure] [ANNOUNCE] mod_security 1.7 released
Previous by thread: Re: [Full-Disclosure] Question: is this exploitable?
Next by thread: Re: [Full-Disclosure] Question: is this exploitable?
Index(es):
- Date
- Thread