[Serusers] sql injection
Jan Janak
jan at iptel.org
Tue Mar 1 19:51:22 CET 2005
As far as mysql module is concerned, all strings are enclosed in '' and
the string itself is escaped using mysql_real_escape_string function. I
am talking about 0.8.14 and 0.9.0 here.
Jan.
On 01-03 17:40, Joao Pereira wrote:
> Hello,
> I just noticed that SER and his sql modules arent sql injection free. I
> mean, they are vulnerable to the input of bad words (drop, remove,
> insert,...) or the existence of the character " ' ". Is there any SER
> version thats free from it? Or do I have to change and recompile my SER
> code?
>
> Thanks
> Joao
>
> _______________________________________________
> Serusers mailing list
> serusers at lists.iptel.org
> http://lists.iptel.org/mailman/listinfo/serusers
More information about the sr-users
mailing list