appdb security

Christoph Frick frick at
Thu Jun 8 10:54:28 CDT 2006

On Thu, Jun 08, 2006 at 11:42:09AM -0400, Chris Morgan wrote:

> Can you come up with a non-destructive working example for the appdb 
> website( ;-)

no ;P

> I ask because I thought we went through this some time ago but I agree
> that what you say looks like an open issue.

if the magic quote thingy is turned on, then my code below wont do any
harm (as the ' from the user input is turned into \'). well but there
are other ways to inject code (e.g. encode the ' in some other way). at
least a intval($_REQUEST['appId']) would be step in the right direction.

> > > appId='"$_REQUEST['appId']."';";
> > with appId="' or 1=1;'"?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 163 bytes
Desc: not available
Url :

More information about the wine-devel mailing list