[AppDB] Make screen shots safe from SQL injection

Chris Morgan chmorgan at gmail.com
Mon Jun 26 21:56:44 CDT 2006

Yes, having quotes around limit values breaks sql queries.  I'll
incorporate this into the injection change patch.

I'm curious as to why the rest of the patch is the same though.  It
will conflict when the other sql patch is applied.


On 6/26/06, Tony Lambregts <tony.lambregts at gmail.com> wrote:
> This is a subset of Chris Morgan's select_update_delete_injection.patch which
> only deals with screen shots. I had to modify admin/adminScreenshots.php to get
> rid of the quotes around the question marks that made the query fail but
> otherwise it is the same.
> I changed line 120 of admin/adminScreenshots.php like so.
> from            ORDER BY id ASC LIMIT '?', '?'", $offset, $ItemsPerPage);
> to              ORDER BY id ASC LIMIT ?, ?", $offset, $ItemsPerPage);
> Change log: Makes screen shots safe from SQL injection
> Files changed:
>      appimage.php
>      viewScreenshots.php
>      admin/adminScreenshots.php
>      include/db.php
>      include/screenshot.php

More information about the wine-patches mailing list