Re: In 2013, there are still programs with huge Unicode bugs :-(

From: Philippe Verdy <verdy_p_at_wanadoo.fr>
Date: Sat, 23 Mar 2013 01:25:07 +0100

And how many web forms forget to check the presence of a percent sign
and are executing SQL searches without cheking it using clauses
similar to "WHERE table.field LIKE :parameter" by binding directly the
submitted form value to the "parameter" variable placeholder, ignoring
the fact that the percent sign in the right operand of a LIKE is
parsed specially by the SQL engine ?

Same thing about programs using submitted values directly (or
concatenatng them) to create any kind of regular expressions, or to
generate a SQL statement (with the security issue of possible SQL
injection to retrieve confidential data, by terminating the query
statement with a quote, a semicolon, and initiating a seonf statement
which could even drop the full database or alter any other tables in
that database ?).

2013/3/22 Stephan Stiller <stephan.stiller_at_gmail.com>:
>
>> This one is incredible:
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=922433
Received on Fri Mar 22 2013 - 19:30:25 CDT

This archive was generated by hypermail 2.2.0 : Fri Mar 22 2013 - 19:30:27 CDT