URL: <http://gna.org/bugs/?func=detailitem&item_id=4569> Summary: SQL strings not escaped when magic_quotes_gpc is not enabled Project: Galette Submitted by: pbaumard Submitted on: dim 23.10.2005 à 04:53 Priority: 5 - Normal Severity: 6 - Security Status: None Assigned to: None Originator Email: Open/Closed: Open _______________________________________________________ Details: From http://phplens.com/adodb/reference.functions.qstr.html adodb qstr method has to be called with get_magic_quotes_gpc() as a second parameter: $db->qstr($value,get_magic_quotes_gpc()) But in galette code most of the calls sets the second parameter as true: $DB->qstr($value, true) So when magic_quotes_gpc is not enabled SQL strings are not escaped, and worse, Galette fails silently without showing any error message. _______________________________________________________ Carbon-Copy List: CC Address | Comment ------------------------------------+----------------------------- pbaumard | _______________________________________________________ Reply to this item at: <http://gna.org/bugs/?func=detailitem&item_id=4569> _______________________________________________ Message postà via/par Gna! http://gna.org/
Generated by mhonarc, Tue Oct 25 20:41:36 2005