hi,
Postgresql team has released the new .4 version as security fix.
http://www.postgresql.org/docs/techdocs.52
This is related to addslash and Unicode like charmaps.
<quote>
A few weeks ago, members of our Japanese developer community contacted
us with news of a SQL injection exploit for PostgreSQL with PHP in Far
Eastern character encodings such as SJIS. It seemed that a clever
attacker could exploit knowledge of how multi-byte encodings and string
escaping work inside PostgreSQL in order to sneak injected SQL strings
past all commonly used client-side safeguards. Subsequent investigation
showed that related attacks would work in all multi-byte encodings, in
particular UTF8 which is widely used world-wide.
</quote>
This is probably true for other SQL backends as well.
Now, they turned off the backslash escaping with some charmaps :
<quote>
When the client is using a "client only" encoding (SJIS, BIG5, GBK,
GB18030, or UHC) the server furthermore rejects uses of "\'" to
represent a single quote mark in a SQL string literal. This historical
usage has been deprecated for some time in favor of the SQL-standard
representation "''" (two single quote marks)
</quote>
Also, the use of parameterized prepared statements is the best practice
to avoid SQL injection, because all the tests and formating checks from
standard Psql libs are processed.
<quote>
Use parameterized prepared statements to execute queries (e.g. "SELECT *
FROM table WHERE id = ?")
</quote>
Now, that said, I wish to know if OTRS is ready to work with thoses
changes.
Regards
--
Alexandre
_______________________________________________
OTRS mailing list: otrs - Webpage: http://otrs.org/
Archive: http://lists.otrs.org/pipermail/otrs
To unsubscribe: http://lists.otrs.org/cgi-bin/listinfo/otrs
Support oder Consulting für Ihr OTRS System?
=> http://www.otrs.de/
