[TYPO3-core] Security Fix for bug #1369

Martin Kutschker Martin.Kutschker at blackbox.net
Fri Nov 25 13:26:18 CET 2005


Branch: HEAD / 3.8.2

Description:

In t3lib_db addslashes is used for quoting strings to be sent to the DB. The quote functions do not take the magic_quotes_sybase settings of PHP into account. When magic_quotes_sybase is on there is the possibility of an SQL injection.

Solution:

Use the quoting function provided by the Mysql API: mysql_real_escape_string.

Masi 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/x-patch
Size: 505 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20051125/362e3daf/attachment.bin 


More information about the TYPO3-team-core mailing list