[TYPO3-core] Security Fix for bug #1369
Martin Kutschker
Martin.Kutschker at blackbox.net
Fri Nov 25 13:26:18 CET 2005
Branch: HEAD / 3.8.2
Description:
In t3lib_db addslashes is used for quoting strings to be sent to the DB. The quote functions do not take the magic_quotes_sybase settings of PHP into account. When magic_quotes_sybase is on there is the possibility of an SQL injection.
Solution:
Use the quoting function provided by the Mysql API: mysql_real_escape_string.
Masi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/x-patch
Size: 505 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20051125/362e3daf/attachment.bin
More information about the TYPO3-team-core
mailing list