Remember, SMF only shows database syntax errors to administrators anyway, so
they would not even see the query string itself. All the average user trying
this gets is "A database error has occured".
Either way securityfocus have kindly removed the advisory so we're happy.
[quote]
mphhh, correct
>substr(strtolower($_REQUEST['start']), 0, 1)
>
>So, the string is set to lower case, and then only the FIRST letter is
>used within the query. How can anyone exploit the database with a one
>character insertion? Of course this is within single quotes as well,
>so it cannot even be a command.
Th
[EMAIL PROTECTED] wrote:
I'm a developer from over at simplemachines and
> I do not see how this can pose an exploit?
/* tabs are evil */
if (!is_numeric($_REQUEST['start'])) {
$request = db_query("SELECT COUNT(ID_MEMBER)
FROM {$db_prefix}members
WHERE LOWER(SUBSTRING(realName, 1, 1)) < '
Take a better look at your \'Memberlist.php\' source code.
// Select the members from the database.
$request = db_query(\"
SELECT mem.ID_MEMBER
FROM {$db_prefix}members AS mem
LEFT JOIN {$db_prefix}log_online AS lo ON (lo.ID_MEMBER
=
[quote]
I'm a developer from over at simplemachines and I do not see how this can pose
an exploit? Let's examine the code piece by piece:
The code is entered at this point:
if (!is_numeric($_REQUEST['start']))
So, will be executed if $_REQUEST['start'] is a string. It's then used in the
query.
I'm a developer from over at simplemachines and I do not see how this can pose
an exploit? Let's examine the code piece by piece:
The code is entered at this point:
if (!is_numeric($_REQUEST['start']))
So, will be executed if $_REQUEST['start'] is a string. It's then used in the
query. However,
