Bugtraq mailing list archives

Re: Intresting case of SQL Injection

From: Markus Fischer <mfischer () gjat josefine at>
Date: Thu, 4 Dec 2003 23:37:58 +0100

On Thu, Dec 04, 2003 at 04:39:15PM -0300, Martin Sarsale (runa@sytes) wrote :

Yesterday, we found an interesting case of SQL Injection.

[...]

The main problem here was that developers where trusting in PHP auto
escaping which worked in MySQL (and probably PostgreSQL) but not in MSSQL.


    The main problem in fact are developers who do not read the manual
    for their language of choice[tm]. It is documented that
    magic_quotes_sybase = true
    uses the alternate escaping style needed by non-MySQL alike
    databases (eg. MSSQL).

    regards,
        - Markus

Current thread:

Intresting case of SQL Injection Martin Sarsale (runa@sytes) (Dec 04)
- Re: Intresting case of SQL Injection Markus Fischer (Dec 05)
- <Possible follow-ups>
- Intresting case of SQL Injection Sys Sec (Dec 05)
  - Re: Intresting case of SQL Injection Nick FitzGerald (Dec 05)
- RE: Intresting case of SQL Injection Scovetta, Michael V (Dec 05)
  - Re: Intresting case of SQL Injection Florian Weimer (Dec 05)