Thread: Little note to php coders
Check out this link, if you need something to laugh at: http://www.postgresql.org/idocs/index.php?1' Keeping in mind, that there are bunch of overflows in PostgreSQL(really?), it is very dangerous i guess. Right? ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com
On Tue, 8 Oct 2002, Sir Mordred The Traitor wrote: > Check out this link, if you need something to laugh at: > http://www.postgresql.org/idocs/index.php?1' > > Keeping in mind, that there are bunch of overflows in PostgreSQL(really?), > it is > very dangerous i guess. Right? I'm not sure what list this really fits onto so I've left as hackers. The old argument about data validation and whose job it is. However, is there a reason why all CGI parameters aren't scanned and rejected if they contain any punctuation. I was going to say if they contain anything non alphanumeric but then I'm not sure about internationalisation and that test. -- Nigel J. Andrews
On Tue, 8 Oct 2002, Sir Mordred The Traitor wrote: > Check out this link, if you need something to laugh at: > http://www.postgresql.org/idocs/index.php?1' > > Keeping in mind, that there are bunch of overflows in PostgreSQL(really?), > it is > very dangerous i guess. Right? Don't see what you're complaining about. I get teh 7.2.1 admin guide. Vince. -- ========================================================================== Vince Vielhaber -- KA8CSH email: vev@michvhf.com http://www.pop4.net 56K Nationwide Dialup from $16.00/mo atPop4 Networking http://www.camping-usa.com http://www.cloudninegifts.com http://www.meanstreamradio.com http://www.unknown-artists.com ==========================================================================
Nice. That little, cute admin :-). This is already fixed, and where is 'thanks' i wonder? I've been talking about sql injection. How about that in http://www.postgresql.org/mirrors/index.php: ------- Warning: PostgreSQL query failed: ERROR: invalid INET value 'r' in /usr/local/www/www/mirrors/index.php on line 263 Database update failed, contact the webmaster. insert into mirrorsites(mirrorhostid,ipaddr,portnum,...) values(..) ------ Insert statement is shortened. ________________________________________________________________________ This letter has been delivered unencrypted. We'd like to remind you that the full protection of e-mail correspondence is provided by S-mail encryption mechanisms if only both, Sender and Recipient use S-mail. Register at S-mail.com: http://www.s-mail.com
This is one of the reasons I usually recommend running with magic quotes on, it provides a bit of insurance for those spots where your data validation is not up to snuff. Robert Treat On Tue, 2002-10-08 at 06:11, Nigel J. Andrews wrote: > On Tue, 8 Oct 2002, Sir Mordred The Traitor wrote: > > > Check out this link, if you need something to laugh at: > > http://www.postgresql.org/idocs/index.php?1' > > > > Keeping in mind, that there are bunch of overflows in PostgreSQL(really?), > > it is > > very dangerous i guess. Right? > > I'm not sure what list this really fits onto so I've left as hackers. > > The old argument about data validation and whose job it is. However, is there a > reason why all CGI parameters aren't scanned and rejected if they contain > any punctuation. I was going to say if they contain anything non alphanumeric > but then I'm not sure about internationalisation and that test. > > > -- > Nigel J. Andrews > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: if posting/reading through Usenet, please send an appropriate > subscribe-nomail command to majordomo@postgresql.org so that your > message can get through to the mailing list cleanly