[22627] in bugtraq
Re: Notice about seconds overroll - S7K bug
daemon@ATHENA.MIT.EDU (Robert Bihlmeyer)
Wed Sep 12 13:37:52 2001
To: bugtraq@securityfocus.com
Cc: Tonu Samuel <tonu@please.do.not.remove.this.spam.ee>
From: Robert Bihlmeyer <robbe@orcus.priv.at>
Date: 12 Sep 2001 12:05:13 +0200
In-Reply-To: <1000033481.2390.5.camel@x153.internalnet>
Message-ID: <87u1y8hgh2.fsf@orcus.priv.at>
MIME-Version: 1.0
content-Type: multipart/signed; boundary="----------=_1000295345-4816-1"; micalg="pgp-sha1"; protocol="application/pgp-signature"
------------=_1000295345-4816-1
Content-Type: text/plain; charset=us-ascii
Tonu Samuel <tonu@please.do.not.remove.this.spam.ee> writes:
> I would like to make your attention on bug which was introduced tonight
> and can affect some people who are using (var)char field to store
> timestamp data.
Since the winnings are so slim, I hope not many people fell pray to
this bug. If you're gonna waste 5 bytes on convenience, wasting a 6th
to buy you peace at least until Unix doomsday does not seem too much.
If you were expecting speed earnings (no strtoul-ing the input) these
get pretty much zilched should you later compare the strings.
> In MySQL we suggested people to use quotation marks around integer
> values.
Which won't protect you from '; attacks, of course. So why not just
make sure that it is a real integer (ahem)? In Perl it would be as
easy as adding zero.
> This is the reason why people put quotation marks around integer
> expressions and this is correct.
Really?
> But when both column is character type and expression, they get
> compared as strings.
As is to be expected when you're lying to your software. The date types
are there for a reason.
--
Robbe
------------=_1000295345-4816-1
Content-Type: application/pgp-signature; name="signature.ng"
Content-Disposition: inline; filename="signature.ng"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE7n0ux8g21h7wYWrMRAuUPAKDIJPxZBPKVgJHZldMJWi5WFBvGtgCfX3Up
WuJt+l/FTSnQe2bYrbeOIf0=
=lbmR
-----END PGP SIGNATURE-----
------------=_1000295345-4816-1--
