On Thu, 2009-09-17 at 19:43 +1000, Daniel Pittman wrote: > Also, as I note, this is based on *TWO YEAR OLD* information. I don't know > what Drupal and Joomla have done to systematically address these issues since > that time.
They could have done a lot, so it’s worth checking out. Using WordPress as an example: two years ago, they were basically addslashes()'ing strings before concatenating them with a MySQL query. Now, they've since completely moved to a printf-style model, where they put some %s tags in a query, and pass the values as function parameters, not concatenating them. So WordPress is (as far as I can tell) completely immune to SQL injection now and in the future. Not trying to plug WordPress here — just saying that yes, a lot of security work could have been done since.
signature.asc
Description: This is a digitally signed message part
-- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
