Bugtraq mailing list archives

Re: Adcycle 0.78b Authentication

From: Kenneth van Grinsven <kenneth () VANGRINSVEN COM>
Date: Tue, 20 Feb 2001 21:20:09 +0100

Half-assed workaround. The correct fix is to modify the call to

$dbh->prepare() as follows:

    $sth = $dbh->prepare("SELECT * FROM login WHERE pid='$mycookpid' &&

agent='$agent' ORDER BY stime DESC");

      $sth = $dbh->prepare("SELECT * FROM login WHERE pid=" .

                           $dbh->quote($mycookpid) .
                           " && agent =" .
                           $dbh->quote($agent) .
                           " ORDER BY stime DESC");


Actually the safe way would be to:

$sth = $dbh->prepare("SELECT * FROM login WHERE pid = ? AND agent = ? ORDER BY
stime DESC");
$sth->execute($mycookpid, $agent);

By using placeholders, your scalars can contain anything you like, without
having malicious side effects.

Greetings,

Kenneth van Grinsven

Current thread:

Adcycle 0.78b Authentication Neil K (Feb 19)
- Re: Adcycle 0.78b Authentication Dag-Erling Smorgrav (Feb 20)
- <Possible follow-ups>
- Re: Adcycle 0.78b Authentication Kenneth van Grinsven (Feb 20)