On Thu, 2009-10-15 at 13:26 +1100, Steffen Joeris wrote: > Hi everyone > > We had a few issues in the past with insufficient database escaping, which > lead > to possible SQL injections due to the use of the deprecated functions > mysql_escape_string() and PQescapeString(). > These functions do not take the encoding of the established connection into > account, which can lead to insufficient escaping, if the encoding of this > connection can be set to certain multibyte character encodings (such as GBK). > I found the explanation given in this email[0] quite useful to elaborate on > the thread. > > In order to prevent this issue, the new functions mysql_real_escape_string() > [1] and PQescapeStringConn()[2] have been added, which honour the specific > encoding of the connection. > [snip] > > ampache: Charlie Smotherman <cj...@cableone.net> > > ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: > $filenam2 > = mysql_escape_string($filename); > ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $res2 = > mysql_escape_string(serialize($result)); > Steffen,
Thanks for the mail. I have patched ampache to use mysql_real_escape_string(). I would appreciate it if someone would sponsor this fix. http://mentors.debian.net/debian/pool/main/a/ampache/ampache_3.5.1-2.dsc Thank you Charlie Smotherman
signature.asc
Description: This is a digitally signed message part