[Care2x-general] Fw: Re: AW: [Care2002-developers] about patients
and personnel in the same table
Walter Nunez
admin en ciberneticamedica.com
Sab Nov 13 01:41:41 CET 2004
Hi all,
I am very glad about this particular topic because we are actually working to
test a part of care2x which for a long time was relatively taken for granted.
Just a short history. Way back in 2002, Daniel Frieja from Germany notified me
of this danger and I followed his suggestion to use the php's native function
"addslashes()" which neutralizes the user input. After that and after some
testing rounds we decided it to be good enough.
But it could happen that some parts of the program specially those that are
not explicitly in danger were overlooked.
So, keep on testing and trying to compromise the system by using this "sql
inject" attack. Inform us about the results. If you can make the patch
yourself, it would be much better. Pls send us the patches afterwards.
Thanks,
Elpidio
On Friday 12 November 2004 08:24, Joachim Mollin wrote:
> Sorry,
>
> I tried your example on my system, but I did not come in with that password
>
> Joachim
--
Walter Alfonso Núnez Rivera
Médico - Programador
Pascual de Andagoya 140 Lima 32 Perú
Más información sobre la lista de distribución Care2x-general