[AppDB] Make screen shots safe from SQL injection
Chris Morgan
cmorgan at alum.wpi.edu
Mon Jun 26 22:36:59 CDT 2006
Also fixed a case of this in adminCommentView.php.
If you are interested I can resubmit the second half of the sql injection
patch after the unit test/user one goes in and another patch to test some of
this new functionality is completed and in. I caught a bug in
query_parameters() and wanted to take advantage of our unit testing suite to
ensure that it really is fixed by code changes I made and that it doesn't get
broken again.
Chris
On Monday 26 June 2006 10:56 pm, Chris Morgan wrote:
> Yes, having quotes around limit values breaks sql queries. I'll
> incorporate this into the injection change patch.
>
> I'm curious as to why the rest of the patch is the same though. It
> will conflict when the other sql patch is applied.
>
> Chris
>
> On 6/26/06, Tony Lambregts <tony.lambregts at gmail.com> wrote:
> > This is a subset of Chris Morgan's select_update_delete_injection.patch
> > which only deals with screen shots. I had to modify
> > admin/adminScreenshots.php to get rid of the quotes around the question
> > marks that made the query fail but otherwise it is the same.
> >
> > I changed line 120 of admin/adminScreenshots.php like so.
> > from ORDER BY id ASC LIMIT '?', '?'", $offset, $ItemsPerPage);
> > to ORDER BY id ASC LIMIT ?, ?", $offset, $ItemsPerPage);
> >
> > Change log: Makes screen shots safe from SQL injection
> >
> > Files changed:
> > appimage.php
> > viewScreenshots.php
> > admin/adminScreenshots.php
> > include/db.php
> > include/screenshot.php
More information about the wine-patches
mailing list