URL:
  <http://gna.org/bugs/?func=detailitem&item_id=4569>

                 Summary: SQL strings not escaped when magic_quotes_gpc is
not enabled
                 Project: Galette
            Submitted by: pbaumard
            Submitted on: dim 23.10.2005 à 04:53
                Priority: 5 - Normal
                Severity: 6 - Security
                  Status: None
             Assigned to: None
        Originator Email: 
             Open/Closed: Open

    _______________________________________________________

Details:

From
http://phplens.com/adodb/reference.functions.qstr.html
adodb qstr method has to be called with get_magic_quotes_gpc() as a second
parameter:
$db->qstr($value,get_magic_quotes_gpc())

But in galette code most of the calls sets the second parameter as true:
$DB->qstr($value, true)

So when magic_quotes_gpc is not enabled SQL strings are not escaped, and
worse, Galette fails silently without showing any error message.



    _______________________________________________________

Carbon-Copy List:

CC Address                          | Comment
------------------------------------+-----------------------------
pbaumard                            | 




    _______________________________________________________

Reply to this item at:

  <http://gna.org/bugs/?func=detailitem&item_id=4569>

_______________________________________________
  Message posté via/par Gna!
  http://gna.org/


Répondre à