Bugtraq mailing list archives
Re: Adcycle 0.78b Authentication
From: Kenneth van Grinsven <kenneth () VANGRINSVEN COM>
Date: Tue, 20 Feb 2001 21:20:09 +0100
Half-assed workaround. The correct fix is to modify the call to$dbh->prepare() as follows:$sth = $dbh->prepare("SELECT * FROM login WHERE pid='$mycookpid' &&
agent='$agent' ORDER BY stime DESC");
$sth = $dbh->prepare("SELECT * FROM login WHERE pid=" .$dbh->quote($mycookpid) . " && agent =" . $dbh->quote($agent) . " ORDER BY stime DESC");
Actually the safe way would be to: $sth = $dbh->prepare("SELECT * FROM login WHERE pid = ? AND agent = ? ORDER BY stime DESC"); $sth->execute($mycookpid, $agent); By using placeholders, your scalars can contain anything you like, without having malicious side effects. Greetings, Kenneth van Grinsven
Current thread:
- Adcycle 0.78b Authentication Neil K (Feb 19)
- Re: Adcycle 0.78b Authentication Dag-Erling Smorgrav (Feb 20)
- <Possible follow-ups>
- Re: Adcycle 0.78b Authentication Kenneth van Grinsven (Feb 20)