Re: [Care2002-developers] about patients and personnel in the same table

Elpidio Latorilla Fri, 12 Nov 2004 05:32:06 -0800

Hello,

thanks for the feedback. Be assured that sql injection danger was considered 
long before.  Care2x neutralizes user inputs using php native functions.
Also, command parsing like exec() is never used to process a user input, nor a 
dynamic data from the database nor anywhere else.


Elpidio

On Friday 12 November 2004 02:24, Daniel Ignat wrote:
> PS. I realized that you may use the '%' sql operator
> in a query.. I don't know if this is a 'feature' or
> a 'bug'. It may be a security breach. Are you aware
> of the 'sql inject' attacks? It seems that there is
> no expression checking on the 'person search' input
> text.. (but i recognize i didnt have the time to
> check the code. so, sorry if this isnt true, i just
> had it in my mind since a while and wanted to warn you)
>
> PSS Example of an mysql 'sql inject' attack (I hope
> to remember it correctly, but if not, you will grasp
> the idea):
>
> <FORM>... etc
> user: test
> password: aa" and ""="""
>                    ^^^^^^^ - this disables your original
> query if you dont check the user input (which should
> always be done, with a regular expresion and other
> mechanisms, like the native functions of php related
> to slashes, command parsing (see doc for exec(), etc )



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
_______________________________________________
Care2002-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/care2002-developers

Re: [Care2002-developers] about patients and personnel in the same table

Reply via email to