|
From: Christian B. <pos...@cb...> - 2011-08-23 00:04:13
|
Hello, Am Sonntag, 21. August 2011 schrieb chr...@us...: > Revision: 1171 > functions.inc.php - check_owner(): > - escape_string() $username and $domain to prevent SQL injections Just for the records: 2.3.3 uses pre-escaped parameters for check_owner(), which means it is secure. (I checked every call of check_owner.) I didn't check everything in trunk, but I'm quite sure that everything is pre-escaped there also. The only exception is vacation.php in the version I commited _after_ adding escaping in escape_string(). In other words: The commit message sounds more dangerous than it is. There never was a SQL injection bug, and the changed version will prevent future ones. Regards, Christian Boltz -- > beim Übersetzen von qcad steigt die Prozessorauslastung von > cc1plus bis auf 98% an. Dasist doch nicht üblich, oder? Warum stört Dich das? Du hast doch die ganze CPU bezahlt, oder? Oder hast Du nur 'ne halbe? [> Stefan Schlörholz und Andreas Kyek in suse-linux] |
