[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)

Stuart Moore smoore at securityglobal.net
Thu Jun 8 02:41:08 EDT 2006

Hi.  Can someone double check this?  In the original "SQL injection" 
report, it says:


But in the version 0.2beta, 0.5beta, and 1.0, the first reference to the 
ID parameter is around line 99:


This is just prior to the use of the ID parameter in:

$sql="SELECT r.ID, r.type
	FROM {$vs_dbPrefix}resource r
	WHERE r.ID={$_GET['ID']}";



More information about the VIM mailing list