Not logged in
Log in now
Create an account
Subscribe to LWN
Deadline scheduling: coming soon?
LWN.net Weekly Edition for November 27, 2013
ACPI for ARM?
LWN.net Weekly Edition for November 21, 2013
GNU virtual private Ethernet
Exactly. How many SQL injection vulnerabilities are the result of PHP's mysql_query() design for example?
Github compromised, or not?!
Posted Mar 5, 2012 17:27 UTC (Mon) by ajross (subscriber, #4563)
Basically the same stupid mistake. It's a collision between convenience (representing query parameters as variables automatically without the need to explicitly parse/validate/declare/etc...) and safety (forgetting that the resulting variables are potentially from untrusted sources). Rails leans heavily on the DRY principle, and would be expected to be particularly susceptible to this kind of goof.
Posted Mar 6, 2012 8:22 UTC (Tue) by Los__D (guest, #15263)
Posted Mar 9, 2012 12:57 UTC (Fri) by knobunc (subscriber, #4678)
The problem is that it makes it easy to forget to escape the parameters to your queries. Prefer something with placeholders/bind variables.
Posted Mar 9, 2012 13:21 UTC (Fri) by Los__D (guest, #15263)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds