[development] Bug#336719: Can you reproduce this on 4.5.3-4?
Hilko Bengen
bengen at debian.org
Fri Nov 11 13:57:40 UTC 2005
Florian Weimer <fw at deneb.enyo.de> writes:
>> db_query uses sprintf to replace placeholder expressions if passed
>> more than one argument and it seems to me that using %s does the
>> same thing as PHP's string expansion as in 4.5.3.
>
> What about SQL injection? Doesn't db_query protect against it, while
> PHP's string expansion doesn't?
At second glance, it does seem like it: db_query performs quoting on
those arguments which are then added via snprintf().
Do you have any idea how the $key parameter to sess_destroy
(includes/session.inc) is generated?
Cheers,
-Hilko who is once again shocked how little he knows about PHP's
internal magic
More information about the development
mailing list