[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)
Stuart Moore
smoore at securityglobal.net
Thu Jun 8 02:41:08 EDT 2006
Hi. Can someone double check this? In the original "SQL injection"
report, it says:
/vs_resource.php?ID=[SQL]
But in the version 0.2beta, 0.5beta, and 1.0, the first reference to the
ID parameter is around line 99:
$_GET['ID']=mysql_real_escape_string($_GET['ID']);
This is just prior to the use of the ID parameter in:
$sql="SELECT r.ID, r.type
FROM {$vs_dbPrefix}resource r
WHERE r.ID={$_GET['ID']}";
$result=mysql_query($sql);
Thanks,
Stuart
More information about the VIM
mailing list