Bugtraq mailing list archives
Re: Intresting case of SQL Injection
From: Markus Fischer <mfischer () gjat josefine at>
Date: Thu, 4 Dec 2003 23:37:58 +0100
On Thu, Dec 04, 2003 at 04:39:15PM -0300, Martin Sarsale (runa@sytes) wrote :
Yesterday, we found an interesting case of SQL Injection.
[...]
The main problem here was that developers where trusting in PHP auto escaping which worked in MySQL (and probably PostgreSQL) but not in MSSQL.
The main problem in fact are developers who do not read the manual for their language of choice[tm]. It is documented that magic_quotes_sybase = true uses the alternate escaping style needed by non-MySQL alike databases (eg. MSSQL). regards, - Markus
Current thread:
- Intresting case of SQL Injection Martin Sarsale (runa@sytes) (Dec 04)
- Re: Intresting case of SQL Injection Markus Fischer (Dec 05)
- <Possible follow-ups>
- Intresting case of SQL Injection Sys Sec (Dec 05)
- Re: Intresting case of SQL Injection Nick FitzGerald (Dec 05)
- RE: Intresting case of SQL Injection Scovetta, Michael V (Dec 05)
- Re: Intresting case of SQL Injection Florian Weimer (Dec 05)