Re: [AppDB] Fix to allow creating of new accounts (urgent)
Hello,
$result = mysql_query("INSERT INTO user_list VALUES ( NOW(), 0, ". "'$username', password('$password'), ". - "'$realname', '$email', NOW(), 0, 0)"); + "'$realname', '$email', NOW(), 0, 0, '$CVSrelease')");
Shouldn't one use "'".mysql_escape_string($username)."','" etc.? Or is it ensured elsewhere that no unwanted characters are in the string? ( ' is escaped in PHP, isn't it?) Tobias
Tobias Burnus wrote:
Hello,
$result = mysql_query("INSERT INTO user_list VALUES ( NOW(), 0, ". "'$username', password('$password'), ". - "'$realname', '$email', NOW(), 0, 0)"); + "'$realname', '$email', NOW(), 0, 0, '$CVSrelease')");
Shouldn't one use "'".mysql_escape_string($username)."','" etc.? Or is it ensured elsewhere that no unwanted characters are in the string? ( ' is escaped in PHP, isn't it?)
Tobias
This is a not a security patch...
Hello, tony_lambregts(a)telusplanet.net wrote:
- "'$realname', '$email', NOW(), 0, 0)"); + "'$realname', '$email', NOW(), 0, 0, '$CVSrelease')");
Shouldn't one use "'".mysql_escape_string($username)."','" etc.? Or is it ensured elsewhere that no unwanted characters are in the string? ( ' is escaped in PHP, isn't it?) This is a not a security patch...
True, but shouldn't one try to be secure if one needs to touch such lines? Tobias
Tobias Burnus wrote:
Hello,
tony_lambregts(a)telusplanet.net wrote:
- "'$realname', '$email', NOW(), 0, 0)"); + "'$realname', '$email', NOW(), 0, 0, '$CVSrelease')");
Shouldn't one use "'".mysql_escape_string($username)."','" etc.? Or is it ensured elsewhere that no unwanted characters are in the string? ( ' is escaped in PHP, isn't it?)
This is a not a security patch...
True, but shouldn't one try to be secure if one needs to touch such lines?
Tobias
I admit it I am an idiot for not knowing what to do to fix security flaws.
Please send mail about security problems with winehq directly to jnewman(a)codeweavers.com rather than advertising on public mailing lists first :) Mike tony_lambregts(a)telusplanet.net wrote:
I admit it I am an idiot for not knowing what to do to fix security flaws.
On Thu, 06 Jan 2005 14:19:45 +0900, Mike McCormack <mike(a)codeweavers.com> wrote:
Please send mail about security problems with winehq directly to jnewman(a)codeweavers.com rather than advertising on public mailing lists first :)
Agreed, this shouldn't be on a public list. But cc Chris Morgan, Tony and me as well please. Paul
participants (4)
-
Mike McCormack -
Paul van Schayck -
Tobias Burnus -
tony_lambregts@telusplanet.net