On Dec 5, 2009, at 5:13 PM, Tom Jackson wrote:
Really? The title of the post says AOLserver is vulnerable.
No, it says ..." [AOLSERVER] Is this vulnerable to sql injection?"
"[AOLSERVER]" is the name of this mailing list, not the antecedent of
"this".
"this" is defined in the body of the message:
"I've been alerted that a site I maintain, running on AOLserver 4.5.0
using the nspostgres driver, may be vulnerable to sql injection."
Hmmm, nspostgres driver, which RDBMS is he using, I wonder ...
Tcl can write a query string which uses the keyword NULL.
Unfortunately the simple (but very nice and also safe) bind variable
concept doesn't handle this common requirement.
You've got it backwards, it's the empty string, not NULL, which a bind
variable in Oracle (or in our emulation for postgres), doesn't handle
- it becomes NULL (this is true of the empty string in Oracle in
general).
For those of us writing queries to be shared between Oracle and PG,
Oracle-compatible bindvar emulation is a virtue.
But if it's an issue for the original poster, he shouldn't use the
feature.
----
Don Baccus
http://donb.photo.net
http://birdnotes.net
http://openacs.org
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
<[email protected]> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
