[32717] in bugtraq
Re: Intresting case of SQL Injection
daemon@ATHENA.MIT.EDU (Markus Fischer)
Fri Dec 5 15:22:51 2003
Date: Thu, 4 Dec 2003 23:37:58 +0100
From: Markus Fischer <mfischer@gjat.josefine.at>
To: "Martin Sarsale (runa@sytes)" <runa@runa.sytes.net>
Cc: bugtraq@securityfocus.com
Message-ID: <20031204223758.GA5767@gjat.josefine.at>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <60681.127.0.0.1.1070566755.squirrel@webmail.runa.sytes.net>
On Thu, Dec 04, 2003 at 04:39:15PM -0300, Martin Sarsale (runa@sytes) wrote :
> Yesterday, we found an interesting case of SQL Injection.
[...]
> The main problem here was that developers where trusting in PHP auto
> escaping which worked in MySQL (and probably PostgreSQL) but not in MSSQL.
The main problem in fact are developers who do not read the manual
for their language of choice[tm]. It is documented that
magic_quotes_sybase = true
uses the alternate escaping style needed by non-MySQL alike
databases (eg. MSSQL).
regards,
- Markus
