Hi, yes, this sql inject can be dangerous. If somebody detects any part of care2x that can be compromised, please inform us immediately. Of course, one needs to describe exactly what one did and how, which part of the program, etc.
Thanks, Elpidio On Monday 15 November 2004 02:27, Daniel Ignat wrote: > Yes, you are right, that was just an example > so that people may realize the danger. > > Look in 'google' about sql inject and you will > realize that the things can get more complex, > and not only in queries about 'users' and > 'passwords', but about patient names or > clinical hisotry, for example, by people who > should not have access to that.. the 'injection' > may occur in a 'multi table' query for example, > with the password 'well' protected as you stated > here.. but with another unprotected field which > takes another user input and appends to the main > 'protected' query.. People may even save > locally the html pages, modify them to avoid the > javascript checking code and use them to query > your database.. if the server script dosen't check > thoroughly the user input.. that's why I said about > php native functions (like addslashes, as Elpidio said) > or regexp functions (more restrictive so, more secure) ------------------------------------------------------- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 _______________________________________________ Care2002-developers mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/care2002-developers
