> OK, I checked into this further, and I must apologize: you are correct.
> I suspect that most of us didn't remember that this feature even
> existed...
You don't have to apologize. And indeed... I don't get the idea that
many people know about this. Besides you and maybe one or two others
I hav
On Mon, 2002-02-11 at 00:21, * R&zE: wrote:
> I understand you try to 'protect' your own product, but you have to
> stay a bit realistic about some things. Ofcourse I check the input.
> But you know... there's absolutely nothing wrong with allowing
> quotes to be stored in the database. It's just
ED]>
To: "Jerry Verhoef (UGBI)" <[EMAIL PROTECTED]>
Cc: "PHP General Mailinglist" <[EMAIL PROTECTED]>
Sent: Tuesday, February 12, 2002 12:20 PM
Subject: RE: [PHP] ODBC_EXECUTE has a DANGEROUS 'feature'!!!
> On Mon, 2002-02-11 at 06:46, Jerry Verhoe
On Mon, 2002-02-11 at 06:46, Jerry Verhoef (UGBI) wrote:
> I think you all are missing the point that *R&zE is making.
>
> The software you use/create should be bugfree and free from undocumented
> features. Otherwise security risks could occur. And ofcourse all other
In a perfect world, yes. H
> *Always* validate your data. If you validate your data and never trust
> anything which comes from the client side of the connection, your
> problem goes away. I mean, you wouldn't pass user data to exec()
> or fopen() without some serious checking, would you? ;)
>
> Sure, PHP could try to pre
On Fri, 2002-02-08 at 04:43, * R&zE: wrote:
> Hi folks,
>
> I don't know if everyone ever knew this, but I haven't been able to
> find anything about this, anywhere...
>
> odbc_execute has a very dangerous 'feature'. I would like to call it
> a bug, because someone has implemented it on purpose
Usually I would agree with you. Like I wrote in my message, I would
like to call it a bug, but it was written on purpose. That would
make it a feature!?!
It's an if-block of app. 20 lines that makes sure this happens.
Looks like someone _really_ wanted PHP to do this...
> This is what we call a B
This is what we call a BUG
Report it on http://bugs.php.net
thx
> -Original Message-
> From: * R&zE: [mailto:[EMAIL PROTECTED]]
> Sent: Friday, February 08, 2002 1:44 PM
> To: PHP General Mailinglist
> Subject: [PHP] ODBC_EXECUTE has a DANGEROUS 'feat
Hi folks,
I don't know if everyone ever knew this, but I haven't been able to
find anything about this, anywhere...
odbc_execute has a very dangerous 'feature'. I would like to call it
a bug, because someone has implemented it on purpose I should call
it a feature...
odbc_execute takes two argu
9 matches
Mail list logo
