[VIM] Dragonfly Commerce disputes reports

[security curmudgeon]

: Yes, the only way to really deal with them is to verify ourselves.
: 
: Whichever side is true, I suspect that in general we'll see a lot of 
: these "invalid input" SQL problems being labeled as SQL injection.  
: Only makes sense for a SQL query to barf if it's given an non-numeric 
: argument for a numeric field, and quoting the input might stop injection 
: but it won't stop the query from failing.

It would be nice if someone respected on F-D or Bugtraq would make a post 
regarding 'vulnerability research' and touch on some of these issues. 
Mainly a) testing live sites isn't indicative of a vuln in the distributed 
product and b) throwing a ' in a field and getting an SQL error message 
isn't confirmation of an injection vulnerability.

I'm sure there are other things that are common, but those two come to 
mind first.