Ticket #366 (closed defect: invalid)

Opened 2 years ago

Last modified 2 years ago

QB queries might be still sql injection vulnerable

Reported by: piotras Assigned to: piotras
Priority: major Milestone: 8.09.4 Ragnaroek
Component: Midgard Core Version: 8.09 Ragnaroek
Keywords: Cc:

Description

http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-Statements.html

This page provides proof of concept to workaround string escaping facility. Such vulnerability should be checked against QB implementation.

Change History

11/03/08 10:09:53 changed by piotras

  • milestone changed from 8.09.2 Ragnaroek to 8.09.3 Ragnaroek.

An example from mentioned url do not affect QB. Though, more tests should be done.

11/17/08 22:19:30 changed by piotras

  • milestone changed from 8.09.3 Ragnaroek to 8.09.4 Ragnaroek.

Not a major issue at the moment as it's UTF-8 safe.

01/13/09 23:20:42 changed by piotras

  • status changed from new to closed.
  • resolution set to invalid.

Closing. If you find some vulnerability. Reopen it.