Re: AW: [Care2002-developers] about patients and personnel in the same table

Elpidio Latorilla Fri, 12 Nov 2004 09:36:09 -0800

Hi all,

I am very glad about this particular topic because we are actually working to 
test a part of care2x which for a long time was relatively taken for granted.

Just a short history. Way back in 2002, Daniel Frieja from Germany notified me 
of this danger and I followed his suggestion to use the php's native function 
"addslashes()" which neutralizes the user input.  After that and after some 
testing rounds we decided it to be good enough.  

But it could happen that some parts of the program specially those that are 
not explicitly in danger were overlooked. 

So, keep on testing and trying to compromise the system by using this "sql 
inject" attack. Inform us about the results. If you can make the patch 
yourself, it would be much better. Pls send us the patches afterwards.

Thanks,
Elpidio

On Friday 12 November 2004 08:24, Joachim Mollin wrote:
> Sorry,
>
> I tried your example on my system, but I did not come in with that password
>
> Joachim

-------------------------------------------------------
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88&alloc_id065&op=click
_______________________________________________
Care2002-developers mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/care2002-developers

Re: AW: [Care2002-developers] about patients and personnel in the same table

Reply via email to