You probably thought on the little Bobby Tables when writing this email... http://xkcd.com/327/ Le 23 mars 2013 01:35, "Philippe Verdy" <[email protected]> a écrit :
> And how many web forms forget to check the presence of a percent sign > and are executing SQL searches without cheking it using clauses > similar to "WHERE table.field LIKE :parameter" by binding directly the > submitted form value to the "parameter" variable placeholder, ignoring > the fact that the percent sign in the right operand of a LIKE is > parsed specially by the SQL engine ? > > Same thing about programs using submitted values directly (or > concatenatng them) to create any kind of regular expressions, or to > generate a SQL statement (with the security issue of possible SQL > injection to retrieve confidential data, by terminating the query > statement with a quote, a semicolon, and initiating a seonf statement > which could even drop the full database or alter any other tables in > that database ?). > > 2013/3/22 Stephan Stiller <[email protected]>: > > > >> This one is incredible: > >> > >> https://bugzilla.redhat.com/show_bug.cgi?id=922433 > >
