Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Exactly. How many SQL injection vulnerabilities are the result of PHP's mysql_query() design for example?
Github compromised, or not?!
Posted Mar 5, 2012 17:27 UTC (Mon) by ajross (subscriber, #4563)
Basically the same stupid mistake. It's a collision between convenience (representing query parameters as variables automatically without the need to explicitly parse/validate/declare/etc...) and safety (forgetting that the resulting variables are potentially from untrusted sources). Rails leans heavily on the DRY principle, and would be expected to be particularly susceptible to this kind of goof.
Posted Mar 6, 2012 8:22 UTC (Tue) by Los__D (guest, #15263)
Posted Mar 9, 2012 12:57 UTC (Fri) by knobunc (subscriber, #4678)
The problem is that it makes it easy to forget to escape the parameters to your queries. Prefer something with placeholders/bind variables.
Posted Mar 9, 2012 13:21 UTC (Fri) by Los__D (guest, #15263)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds