On Thu, Dec 04, 2003 at 04:39:15PM -0300, Martin Sarsale (runa@sytes) wrote :
> Yesterday, we found an interesting case of SQL Injection.
[...]
> The main problem here was that developers where trusting in PHP auto
> escaping which worked in MySQL (and probably PostgreSQL) but not in MSSQL.
The main problem in fact are developers who do not read the manual
for their language of choice[tm]. It is documented that
magic_quotes_sybase = true
uses the alternate escaping style needed by non-MySQL alike
databases (eg. MSSQL).
> Yesterday, we found an interesting case of SQL Injection.
[...]
> The main problem here was that developers where trusting in PHP auto
> escaping which worked in MySQL (and probably PostgreSQL) but not in MSSQL.
The main problem in fact are developers who do not read the manual
for their language of choice[tm]. It is documented that
magic_quotes_sybase = true
uses the alternate escaping style needed by non-MySQL alike
databases (eg. MSSQL).
regards,
- Markus
[ reply ]