[AppDB] Make screen shots safe from SQL injection
Chris Morgan
chmorgan at gmail.com
Mon Jun 26 21:56:44 CDT 2006
Yes, having quotes around limit values breaks sql queries. I'll
incorporate this into the injection change patch.
I'm curious as to why the rest of the patch is the same though. It
will conflict when the other sql patch is applied.
Chris
On 6/26/06, Tony Lambregts <tony.lambregts at gmail.com> wrote:
> This is a subset of Chris Morgan's select_update_delete_injection.patch which
> only deals with screen shots. I had to modify admin/adminScreenshots.php to get
> rid of the quotes around the question marks that made the query fail but
> otherwise it is the same.
>
> I changed line 120 of admin/adminScreenshots.php like so.
> from ORDER BY id ASC LIMIT '?', '?'", $offset, $ItemsPerPage);
> to ORDER BY id ASC LIMIT ?, ?", $offset, $ItemsPerPage);
>
> Change log: Makes screen shots safe from SQL injection
>
> Files changed:
> appimage.php
> viewScreenshots.php
> admin/adminScreenshots.php
> include/db.php
> include/screenshot.php
>
>
>
More information about the wine-patches
mailing list