URL:
<http://gna.org/bugs/?func=detailitem&item_id=4569>
Summary: SQL strings not escaped when magic_quotes_gpc is
not enabled
Project: Galette
Submitted by: pbaumard
Submitted on: dim 23.10.2005 à 04:53
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email:
Open/Closed: Open
_______________________________________________________
Details:
From
http://phplens.com/adodb/reference.functions.qstr.html
adodb qstr method has to be called with get_magic_quotes_gpc() as a second
parameter:
$db->qstr($value,get_magic_quotes_gpc())
But in galette code most of the calls sets the second parameter as true:
$DB->qstr($value, true)
So when magic_quotes_gpc is not enabled SQL strings are not escaped, and
worse, Galette fails silently without showing any error message.
_______________________________________________________
Carbon-Copy List:
CC Address | Comment
------------------------------------+-----------------------------
pbaumard |
_______________________________________________________
Reply to this item at:
<http://gna.org/bugs/?func=detailitem&item_id=4569>
_______________________________________________
Message posté via/par Gna!
http://gna.org/
