[19295] in bugtraq
Re: Adcycle 0.78b Authentication
daemon@ATHENA.MIT.EDU (Dag-Erling Smorgrav)
Tue Feb 20 13:09:52 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Message-Id: <xzpwvalpcba.fsf@aes.thinksec.com>
Date: Tue, 20 Feb 2001 17:08:09 +0100
Reply-To: des@THINKSEC.COM
From: Dag-Erling Smorgrav <des@THINKSEC.COM>
X-To: Neil K <neilk@ALLDAS.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Neil K's message of "Mon, 19 Feb 2001 12:04:44 -0000"
Content-Transfer-Encoding: 8bit
Neil K <neilk@ALLDAS.DE> writes:
> Anyways how to patch?? well you could parse out the following character from *all
> the user defined fields: '.
Half-assed workaround. The correct fix is to modify the call to
$dbh->prepare() as follows:
> $sth = $dbh->prepare("SELECT * FROM login WHERE pid='$mycookpid' && agent='$agent' ORDER BY stime DESC");
$sth = $dbh->prepare("SELECT * FROM login WHERE pid=" .
$dbh->quote($mycookpid) .
" && agent =" .
$dbh->quote($agent) .
" ORDER BY stime DESC");
> "I'm always Frank and Ernest with the ladies,
> Frank in New York, Ernest in Boston"
> --quoted from some film i watched last night
Samuel L. Jackson to Larry King in _The Long Kiss Goodnight_ - the
correct quote is "I'm always frank and earnest with women. Uh, in New
York I'm Frank, and in Chicago I'm Ernest."
DES
--
Dag-Erling Smørgrav - des@thinksec.com
