AW: [Care2002-developers] about patients and personnel in the same table

Fri, 12 Nov 2004 08:41:28 -0800 

Hi Joachim,

could be. I've not tested it before. The basic idea of Daniel's 'sql inject'
is to append the sql statement what php gives to the mysql server. I think
that there is no way to modify the password string on care2x that every
passwod is guilty.

Robert

> -----Urspr�ngliche Nachricht-----
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Auftrag von
> Joachim Mollin
> Gesendet: Freitag, 12. November 2004 17:24
> An: [EMAIL PROTECTED]
> Betreff: AW: [Care2002-developers] about patients and personnel in the
> same table
>
>
> Sorry,
>
> I tried your example on my system, but I did not come in with
> that password
>
> Joachim
>
> healthcare Consulting gmbh
> An der Weinleite 5a
> 85560 Ebersberg
>
> [EMAIL PROTECTED]
> Tel:�������� +49 8092 709910 / +49 171 8017700
> Fax:������� +49 8092 709920
> www.healthcareconsulting.de
>
>
> -----Urspr�ngliche Nachricht-----
> Von: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Im Auftrag von
> Robert Meggle
> Gesendet: Freitag, 12. November 2004 15:59
> An: [EMAIL PROTECTED]
> Betreff: AW: [Care2002-developers] about patients and personnel
> in the same
> table
>
> Hi Daniel,
>
> mysql 'sql inject' attack try :
> SQL query: SELECT * FROM uers WHERE user='".$user."' AND
> password='".$passwd."'"
> instead of
> SQL query: SELECT * FROM uers WHERE user="$user" AND password="$passwd"
>
> The password: aa" or 1=1" will produce follwing (php) SQL-query:
> "SELECT * FROM uers WHERE user='test" AND password='aa\" or 1=1\"'
> instead of
> "SELECT * FROM uers WHERE user=test AND password=aa or 1=1"
>
> Effecive no positive result for the bad gui.
>
> When I saw the idea of patients and personel data in the same table it was
> also strange and new for me. But I think it's okay. Why not?
>
> Robert
>
> > -----Urspr�ngliche Nachricht-----
> > Von: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Auftrag von
> > Daniel Ignat
> > Gesendet: Freitag, 12. November 2004 11:25
> > An: [EMAIL PROTECTED]
> > Betreff: Re: [Care2002-developers] about patients and personnel in the
> > same table
> >
> >
> > Hi!
> >
> > I saw that also and it seems to me a little bit
> > annoying to mix personnel and patients.. but you
> > also are right about duplicate data if someone
> > from the personnel gets sick..
> >
> > so, my suggestion is this (for the main developers
> > of care2x): is it possible to put an unchecked
> > 'check box' in the 'search person' form, so that
> > you may 'include', *if you want* the personnel
> > data (as an exception), in the search query?..
> >
> > or maybe better, 2 radio buttons:
> >   - only personnel, only patients
> > this way you will not have to look for all the
> > patients (including the filter) either when looking
> > for personnel..
> >
> > it is not difficult for the developer who has done
> > that form, but it would be a great feature for the
> > user. there is only one check box with a text, then
> > a filter in the sql query..
> >
> > PS. I realized that you may use the '%' sql operator
> > in a query.. I don't know if this is a 'feature' or
> > a 'bug'. It may be a security breach. Are you aware
> > of the 'sql inject' attacks? It seems that there is
> > no expression checking on the 'person search' input
> > text.. (but i recognize i didnt have the time to
> > check the code. so, sorry if this isnt true, i just
> > had it in my mind since a while and wanted to warn you)
> >
> > PSS Example of an mysql 'sql inject' attack (I hope
> > to remember it correctly, but if not, you will grasp
> > the idea):
> >
> > <FORM>... etc
> > user: test
> > password: aa" and ""="""
> >                    ^^^^^^^ - this disables your original
> > query if you dont check the user input (which should
> > always be done, with a regular expresion and other
> > mechanisms, like the native functions of php related
> > to slashes, command parsing (see doc for exec(), etc )
> >
> > SQL query: SELECT * FROM uers WHERE user="$user" AND
> > password="$passwd"
> >
> >
> > Regards,
> >
> > --
> > Daniel Ignat
> > PHP Programmer and SysAdmin
> >
> >
> > Elpidio Latorilla wrote:
> > > Hello Walter,
> > >
> > > I just suggested that possibility based on my understanding of
> > your idea to
> > > separate the personal data of the hospital's personnel from the
> > patient data.
> > > Since the personal data are the same, you can use the same
> > structure.  Of
> > > course this means that once a hospital's employee gets sick
> and himself
> > > becomes that hospital's patient, you might need to reenter his
> > personal data
> > > as a patient. This means double work and redundancy of data.
> > >
> > > I personally wanted to avoid this redundancy thats why there is
> > currently only
> > > one person data table and it also contains the data of the hospital's
> > > personnel.
> > >
> > > But I understood your last posting that you might need a true
> > separation so I
> > > suggested the previous solution.  Please correct me if I am wrong.
> > >
> > > Elpidio
> > >
> > > On Wednesday 10 November 2004 16:33, Walter Nunez wrote:
> > >
> > >>Thank you Elpidio.
> > >>but, in this table..personnel and patients
> > >>� Why they share the same table as original design?
> > >
> > >
> > >
> > >
> > > -------------------------------------------------------
> > > This SF.Net email is sponsored by:
> > > Sybase ASE Linux Express Edition - download now for FREE
> > > LinuxWorld Reader's Choice Award Winner for best database on Linux.
> > > http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
> > > _______________________________________________
> > > Care2002-developers mailing list
> > > [EMAIL PROTECTED]
> > > https://lists.sourceforge.net/lists/listinfo/care2002-developers
> > >
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by:
> > Sybase ASE Linux Express Edition - download now for FREE
> > LinuxWorld Reader's Choice Award Winner for best database on Linux.
> > http://ads.osdn.com/?ad_idU88&alloc_id065&op=ick
> > _______________________________________________
> > Care2002-developers mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/care2002-developers
> >
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
> _______________________________________________
> Care2002-developers mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/care2002-developers
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by:
> Sybase ASE Linux Express Edition - download now for FREE
> LinuxWorld Reader's Choice Award Winner for best database on Linux.
> http://ads.osdn.com/?ad_idU88&alloc_id065&op=ick
> _______________________________________________
> Care2002-developers mailing list
> [EMAIL PROTECTED]
> https://lists.sourceforge.net/lists/listinfo/care2002-developers
>



-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588&alloc_id=12065&op=click
_______________________________________________
Care2002-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/care2002-developers

Reply via email to