[AppDB] Make screen shots safe from SQL injection

Chris Morgan cmorgan at alum.wpi.edu
Mon Jun 26 22:36:59 CDT 2006


Also fixed a case of this in adminCommentView.php.

If you are interested I can resubmit the second half of the sql injection 
patch after the unit test/user one goes in and another patch to test some of 
this new functionality is completed and in.  I caught a bug in 
query_parameters() and wanted to take advantage of our unit testing suite to 
ensure that it really is fixed by code changes I made and that it doesn't get 
broken again.

Chris



On Monday 26 June 2006 10:56 pm, Chris Morgan wrote:
> Yes, having quotes around limit values breaks sql queries.  I'll
> incorporate this into the injection change patch.
>
> I'm curious as to why the rest of the patch is the same though.  It
> will conflict when the other sql patch is applied.
>
> Chris
>
> On 6/26/06, Tony Lambregts <tony.lambregts at gmail.com> wrote:
> > This is a subset of Chris Morgan's select_update_delete_injection.patch
> > which only deals with screen shots. I had to modify
> > admin/adminScreenshots.php to get rid of the quotes around the question
> > marks that made the query fail but otherwise it is the same.
> >
> > I changed line 120 of admin/adminScreenshots.php like so.
> > from            ORDER BY id ASC LIMIT '?', '?'", $offset, $ItemsPerPage);
> > to              ORDER BY id ASC LIMIT ?, ?", $offset, $ItemsPerPage);
> >
> > Change log: Makes screen shots safe from SQL injection
> >
> > Files changed:
> >      appimage.php
> >      viewScreenshots.php
> >      admin/adminScreenshots.php
> >      include/db.php
> >      include/screenshot.php



More information about the wine-patches mailing list