[VIM] misinterpretation? (Re: Vice Stats 0.5b SQL injection)

Steven M. Christey coley at linus.mitre.org
Thu Jun 8 15:10:37 EDT 2006


immediate guess based on no research whatsoever is that a non-numeric
input for ID would produce an SQL error, which the researcher might be
mistakenly thinking is SQL injection.

or maybe something like "OR 1 = 1" would work to retrive the wrong ID?

just a couple guesses...

On Thu, 8 Jun 2006, Stuart Moore wrote:

> Hi.  Can someone double check this?  In the original "SQL injection"
> report, it says:
>
> /vs_resource.php?ID=[SQL]
>
> But in the version 0.2beta, 0.5beta, and 1.0, the first reference to the
> ID parameter is around line 99:
>
> $_GET['ID']=mysql_real_escape_string($_GET['ID']);
>
> This is just prior to the use of the ID parameter in:
>
> $sql="SELECT r.ID, r.type
> 	FROM {$vs_dbPrefix}resource r
> 	WHERE r.ID={$_GET['ID']}";
> $result=mysql_query($sql);
>
> Thanks,
>
> Stuart
>
>


More information about the VIM mailing list