[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)

Steven M. Christey coley at linus.mitre.org
Thu Jun 8 15:10:37 EDT 2006

immediate guess based on no research whatsoever is that a non-numeric
input for ID would produce an SQL error, which the researcher might be
mistakenly thinking is SQL injection.

or maybe something like "OR 1 = 1" would work to retrive the wrong ID?

just a couple guesses...

On Thu, 8 Jun 2006, Stuart Moore wrote:

> Hi.  Can someone double check this?  In the original "SQL injection"
> report, it says:
> /vs_resource.php?ID=[SQL]
> But in the version 0.2beta, 0.5beta, and 1.0, the first reference to the
> ID parameter is around line 99:
> $_GET['ID']=mysql_real_escape_string($_GET['ID']);
> This is just prior to the use of the ID parameter in:
> $sql="SELECT r.ID, r.type
> 	FROM {$vs_dbPrefix}resource r
> 	WHERE r.ID={$_GET['ID']}";
> $result=mysql_query($sql);
> Thanks,
> Stuart

More information about the VIM mailing list