On Thu, 2009-10-15 at 13:26 +1100, Steffen Joeris wrote:
> Hi everyone
>
> We had a few issues in the past with insufficient database escaping, which
> lead
> to possible SQL injections due to the use of the deprecated functions
> mysql_escape_string() and PQescapeString().
> These functions do
Mauro Lizaur writes:
> According to php.net [0], they recommend to use
> 'mysql_real_escape_string' instead [1]. Note that
> mysql_real_escape_string behaves a little bit different from
> mysql_escape_string, though.
>
> [0] http://ar2.php.net/mysql_escape_string
> [1] http://ar2.php.net/manual/e
2009-10-16, Ben Finney:
> Raphael Geissert writes:
>
> > FTR, in php 5.3 the mysql_escape_string function is marked as
> > deprecated (and depending on the error reporting level it will warn)
> > and in php6 it is gone.
>
> Reference, please? I'd like to know what function is recommended to
>
Raphael Geissert writes:
> FTR, in php 5.3 the mysql_escape_string function is marked as
> deprecated (and depending on the error reporting level it will warn)
> and in php6 it is gone.
Reference, please? I'd like to know what function is recommended to
replace this one.
--
\ “Never use
Hi Steffen,
In future checks it would be easier and more accurate to look for the
deprecated functions on the binary packages, because not all of the
packages ship/use all of the files they include in the source package.
FTR, in php 5.3 the mysql_escape_string function is marked as deprecated
(an
On Thu, Oct 15, 2009 at 10:27:57AM +0200, Emilio Pozuelo Monfort wrote:
> > Thanks to Kees, I have prepared a list of packages (below) that are still
> > using the deprecated functions.
> Can you post a dd-list? Your list doesn't include uploaders so it's easy to
> miss
> team maintained packages
Hi
Dne Thu, 15 Oct 2009 13:26:14 +1100
Steffen Joeris napsal(a):
> gammu: Michal Čihař
> ./gammu-1.24.0/smsd/services/pgsql.c:
> PQescapeString(buffer4, buffer2, strlen(buffer2));
> ./gammu-1.24.0/smsd/services/pgsql.c:
> PQescapeString(buff
Hi Steffen,
Steffen Joeris wrote:
> Thanks to Kees, I have prepared a list of packages (below) that are still
> using the deprecated functions.
Can you post a dd-list? Your list doesn't include uploaders so it's easy to miss
team maintained packages.
Thanks,
Emilio
signature.asc
Description:
Hi Charles
On Thu, 15 Oct 2009 01:50:35 pm Charles Plessy wrote:
> Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit :
> > In the near future, I will try to do the archive scan again and file bugs
> > with severity "normal" for the packages below that are still relying on
> > the de
Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit :
>
> In the near future, I will try to do the archive scan again and file bugs
> with
> severity "normal" for the packages below that are still relying on the
> deprecated functions. (Should they be found vulnerable, the severity
Hi everyone
We had a few issues in the past with insufficient database escaping, which lead
to possible SQL injections due to the use of the deprecated functions
mysql_escape_string() and PQescapeString().
These functions do not take the encoding of the established connection into
account, whic
11 matches
Mail list logo
